Microsoft’s June 2026 Patch Tuesday delivers the permanent code fix that Exchange Server administrators have awaited since May: a patch for CVE-2026-42897, a critical cross-site scripting vulnerability in Outlook Web Access that has been actively exploited in the wild while organizations depended on Microsoft’s automated emergency mitigation service to suppress attacks without resolving the underlying code defect.
CVE-2026-42897: The Exploited Exchange OWA Flaw That Needed an Emergency Workaround
The vulnerability affects Exchange Server 2016, 2019, and Subscription Edition. It resides in the Outlook Web Access component — the browser-based interface employees use to access corporate email remotely — where a spoofing and cross-site scripting flaw allows attackers to inject malicious scripts that execute within the security context of authenticated users’ browser sessions. Because OWA sessions carry full Exchange authentication context, a successful injection can enable session hijacking, credential theft, and lateral movement through an organization’s email infrastructure without the attacker ever directly stealing credentials.
Microsoft disclosed CVE-2026-42897 in mid-May 2026 and confirmed exploitation in the wild at that time. A code-level patch was not ready, so the only available protection was the Exchange Emergency Mitigation Service (EEMS) — a Microsoft mechanism that pushes server-side configuration mitigations automatically, without requiring administrator action, but without modifying the vulnerable code. The June 9 patch replaces that temporary suppression with a permanent fix for all affected Exchange Server versions.
How XSS in Outlook Web Access Enables Lateral Movement Without Credential Theft
When a malicious script executes within an authenticated OWA session, it operates with the privileges of that session — accessing session tokens, email content, and all resources the user’s Exchange context can reach. For organizations using on-premises Exchange as the hub for Active Directory authentication, a compromised OWA session belonging to an IT administrator provides a foothold that extends well beyond the inbox. The attack does not require the user to enter credentials on a fake page; the script runs silently within the legitimate OWA interface, invisible to the victim.
EEMS Provided Temporary Coverage; June 9 Patch Delivers Permanent Resolution
The Exchange Emergency Mitigation Service delivered configuration-level protection to Exchange Server deployments automatically from mid-May. Organizations that have not manually applied the June 9 cumulative update — and that do not have EEMS active — remain vulnerable. Administrators should verify that the cumulative update has been applied and confirm that EEMS auto-mitigation had not been administratively disabled on individual servers, since EEMS can be turned off for compatibility reasons without organization-wide visibility.
June 26 Secure Boot Certificate Expiration: 17 Days to Complete the Transition
The June 9 Patch Tuesday carries urgency beyond the Exchange vulnerability. This is the last scheduled Patch Tuesday before the June 26, 2026 expiration of the original 2011 Secure Boot certificates. Microsoft has been distributing replacement certificates through Windows Update, but organizations that have not completed the Secure Boot “dbx” — the forbidden signatures database update that revokes the old certificates — face a hard deadline: after June 26, systems that have not completed the certificate transition will enter a permanently degraded Secure Boot state with no automated recovery path available.
Affected environments include Windows 11, Windows Server 2025, 2022, 2019, and 2016, and any UEFI-enabled infrastructure. Security and IT teams should treat today’s patch as the trigger to audit Secure Boot certificate deployment across all managed systems and confirm the dbx update is in place with 17 days remaining.
SharePoint RCE, Privilege Escalation, and Cloud-Fixed Critical Vulnerabilities in June’s Batch
The June release addresses between 60 and 90 CVEs across Windows, Office, Exchange Server, SharePoint, .NET, and Azure services.
CVE-2026-45659 SharePoint RCE and Cloud-Side Fixes for M365 Copilot and Exchange Online
CVE-2026-45659 is a remote code execution flaw in Windows SharePoint Server that allows authenticated attackers to execute arbitrary code on SharePoint infrastructure. CVE-2026-33841 (Windows kernel elevation of privilege) and CVE-2026-35433 (.NET elevation of privilege) round out the on-premises vulnerabilities requiring customer-side patches.
Two critical vulnerabilities were patched server-side before public disclosure and require no customer action: CVE-2026-45497, a command injection flaw in Microsoft 365 Copilot rated CVSS 7.7 that could break out of the Copilot service boundary into the broader M365 environment, and CVE-2026-48579, an Exchange Online information disclosure flaw rated CVSS 9.1 Critical. Microsoft patched both in its cloud fabric before the announcements.
The June batch follows a May Patch Tuesday that addressed 138 CVEs, 31 rated critical. Microsoft’s AI-powered autonomous vulnerability scanner MDASH, which achieved a 96.55% score on the CyberGym security benchmark, identified 16 of the vulnerabilities fixed in the May release — a figure that positions Microsoft’s internal autonomous tooling as an increasingly significant driver of patch volume compared to external researcher reports.
