Microsoft Exchange CVE-2026-42897 Exploited in Active Attacks Against On-Prem OWA

By Ash K
Microsoft Exchange CVE-2026-42897 Exploited in Active Attacks Against On-Prem OWA

Microsoft Exchange is back in the defender hot seat, and this time the entry point is not a classic server-side takeover. CVE-2026-42897 turns Outlook Web Access into the exposure point, using a crafted email to trigger attacker-controlled JavaScript in a victim’s browser session.

Microsoft disclosed the flaw on May 14, 2026, and marked it as actively exploited. The vulnerability carries a CVSS score of 8.1 and affects on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Exchange Online is not affected.

What Happened

CVE-2026-42897 is a spoofing vulnerability rooted in improper neutralization of input during web page generation, effectively a cross-site scripting issue in Microsoft Exchange Server.

Microsoft says exploitation requires an attacker to send a specially crafted email to a user. If that email is opened in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can execute in the user’s browser context.

That matters because the payload rides through email and activates inside the webmail experience. The attacker does not need to begin with malware execution on the endpoint or direct code execution on the Exchange server.

Affected Systems

The affected products are on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition, across update levels. Microsoft’s cloud-hosted Exchange Online service is not listed as impacted.

At the time of disclosure, Microsoft had not released a permanent fix. Instead, the company is relying on temporary mitigation through the Exchange Emergency Mitigation Service, which applies a URL Rewrite-based mitigation automatically when enabled.

Why This Stands Out

The operational risk is not just that Exchange is vulnerable again. It is that the exploit path sits where users already work: the inbox.

A crafted message opened through OWA can become a script execution trigger inside the browser session. That creates room for spoofing, session abuse, phishing inside a trusted interface, or manipulation of what the user sees in the web client.

Microsoft has not publicly attributed the exploitation to a named threat actor, and public reporting has not confirmed victim count, target sectors, or campaign scale. That lack of detail should not slow response. “Exploitation detected” on an internet-facing Exchange-adjacent workflow is enough to move this into urgent triage.

Mitigation Guidance

Microsoft recommends using the Exchange Emergency Mitigation Service as the primary temporary defense. The service is enabled by default on supported Mailbox servers, but administrators should verify that it has not been disabled.

For environments where automatic mitigation is unavailable, including some restricted or air-gapped deployments, Microsoft points administrators to the Exchange On-premises Mitigation Tool. The mitigation can be applied per server or across eligible Exchange servers through an elevated Exchange Management Shell.

Defenders should also inventory exposed OWA endpoints, confirm mitigation status on every on-prem Exchange server, review access logs for unusual OWA activity, and watch for suspicious email content that appears designed to influence browser-side rendering.

NeuraCyb's Assessment

CVE-2026-42897 is a reminder that Exchange risk is not limited to remote code execution headlines. Browser-context exploitation through OWA can still give attackers a powerful foothold in trust, identity, and user interaction. Until Microsoft ships a permanent fix, the priority is simple: verify mitigation, reduce unnecessary OWA exposure, and treat crafted-email activity against webmail users as a serious signal.

References

Microsoft Exchange Team: Addressing Exchange Server May 2026 vulnerability CVE-2026-42897

Microsoft Security Response Center: CVE-2026-42897

CVE.org: CVE-2026-42897 Record

BleepingComputer: Microsoft warns of Exchange zero-day flaw exploited in attacks

The Hacker News: On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.