Microsoft confirmed active exploitation of CVE-2026-42897, a cross-site scripting flaw in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript against targets who open a crafted email in Outlook Web Access. All supported on-premises Exchange versions are affected. Exchange Online customers are not exposed.
How a Crafted Email Delivers the CVE-2026-42897 XSS Payload in Outlook Web Access
CVE-2026-42897 (CVSS 8.1) is an improper neutralization of input vulnerability in the OWA component of on-premises Exchange Server, classified as a spoofing vulnerability enabled through cross-site scripting. When a victim opens or previews a specially crafted email in Outlook Web Access under conditions described in Microsoft’s advisory, malicious JavaScript embedded in the message executes in the victim’s browser session within the Exchange domain context.
The attack requires no server-side access or lateral movement by the attacker before delivery. The payload travels through the standard email pipeline — delivered to the victim’s inbox like any other message — and OWA’s email rendering triggers execution when the target opens or previews the email. Microsoft confirmed active exploitation at the time of disclosure but has not publicly identified the threat actor, the scale of ongoing attacks, or the number of confirmed compromises.
All Three Supported On-Premises Exchange Versions Affected with No Permanent Patch Available
Microsoft confirmed that CVE-2026-42897 affects every currently supported on-premises Exchange deployment: Exchange Server 2016 at all update levels, Exchange Server 2019 at all update levels, and Exchange Server Subscription Edition at all update levels. No version of on-premises Exchange is exempt. Exchange Online, which runs on Microsoft-managed infrastructure with a different OWA implementation, is not affected.
A permanent code-level fix is in development. Microsoft has not provided a timeline for the patch’s release. In the interim, the company has deployed an automatic mitigation through the Exchange Emergency Mitigation Service, which pushes a URL rewrite rule to block the specific request pattern exploited by CVE-2026-42897. EEMS activates automatically on connected Exchange servers and does not require administrator intervention.
EEMS and EOMT as Interim Controls Pending the CVE-2026-42897 Fix
The Exchange Emergency Mitigation Service is a built-in automated response mechanism available in Exchange Server 2016, 2019, and Subscription Edition. When Microsoft pushes a mitigation through EEMS, connected Exchange servers apply the configuration — in this case, a URL rewrite rule — without requiring manual patch deployment. Administrators should verify that EEMS is active and that the CVE-2026-42897 mitigation has been applied by reviewing the EEMS log on each server.
For environments where EEMS is disabled due to compliance requirements, network isolation, or administrative policy, Microsoft has made the Exchange On-Premises Mitigation Tool available. EOMT performs the equivalent URL rewrite configuration manually and is supported for air-gapped Exchange deployments that cannot reach EEMS endpoints. Both mitigations address the attack vector while a permanent patch is built.
On-Premises Exchange OWA as a Recurring Attack Surface for Email-Borne Exploits
CVE-2026-42897 follows a pattern of Exchange vulnerabilities that weaponize email delivery rather than requiring network-level access to Exchange services. Attacks routed through the mail queue reach targets on every supported Exchange version simultaneously and are difficult to block at the perimeter without disrupting legitimate mail flow — making this class of vulnerability particularly effective against organizations that have not migrated to Exchange Online.
Microsoft’s confirmation of active exploitation means attackers have already developed a working exploit and are directing it at unpatched on-premises Exchange infrastructure. Defenders should verify EEMS mitigation status, review OWA access logs for anomalous activity attributable to JavaScript execution, and establish an expedited upgrade path for systems still running Exchange Server 2016 — a version approaching end of support — that cannot receive the permanent patch quickly. Organizations on Exchange Server Subscription Edition should monitor Microsoft’s advisory page for patch availability and apply the fix on the day it ships given the confirmed exploitation status.
