Microsoft Exchange Server XSS Vulnerability CVE-2026-42897 Under Active Exploitation

TL;DR Microsoft has disclosed CVE-2026-42897, a cross-site scripting vulnerability in on-premises Exchange Server versions that is already under active exploitation. The flaw allows attackers to execute arbitrary JavaScript in a user's browser via a crafted email opened in Outlook Web Access. Microsoft is providing a temporary mitigation through the Exchange Emergency Mitigation Service while working on a permanent fix.

What happened

Microsoft released an advisory this May disclosing a cross-site scripting vulnerability in on-premises Exchange Server. The flaw, CVE-2026-42897 (CVSS 8.1), stems from improper input neutralization during web page generation. Microsoft tagged it with an "Exploitation Detected" assessment, indicating active exploitation in the wild.

The attack vector is straightforward: an attacker sends a crafted email to a target user. When that email is opened in Outlook Web Access and subject to certain interaction conditions, the vulnerability allows arbitrary JavaScript code to execute within the browser context. This enables spoofing attacks—potentially including credential harvesting, session hijacking, or other client-side compromises.

An anonymous researcher discovered and reported the vulnerability to Microsoft. The advisory does not specify which threat actors are exploiting it, the scale of exploitation efforts, or whether any attacks have succeeded. Those details remain unknown.

Why it matters

Exchange Server is a critical component of email infrastructure in many organisations across MENA. On-premises deployments are still widely used, particularly in regulated sectors and enterprises with strict data residency requirements.

A cross-site scripting vulnerability in the web interface is particularly dangerous because it operates at the browser layer—defenders cannot block it at the network perimeter alone. Users who interact with a crafted email become the attack surface. The CVSS 8.1 score reflects the severity: the vulnerability requires user interaction but allows significant impact.

For SOC analysts and defenders, this means monitoring for evidence of exploitation attempts in email logs and web access patterns. For system administrators managing Exchange deployments, the immediate question is whether your environment is running an affected version and whether temporary mitigations are in place. For developers integrating with Exchange or building on Outlook Web Access, this is a reminder of the XSS risks that persist in web-facing email interfaces.

Affected systems and CVEs

Microsoft Exchange Server 2016 (all update levels)
Microsoft Exchange Server 2019 (all update levels)
Microsoft Exchange Server Subscription Edition (SE) (all update levels)
Outlook Web Access

CVE: CVE-2026-42897

Note: Exchange Online is not affected by this vulnerability.

What to do

Enable the Exchange Emergency Mitigation Service: This service is enabled by default and applies mitigation automatically via URL rewrite configuration. If it is disabled, enable the Windows service.
For air-gapped environments, use the Exchange on-premises Mitigation Tool (EOMT):
- Download the latest version from aka[.]ms/UnifiedEOMT
- Run the script via an elevated Exchange Management Shell
- For a single server: .\EOMT.ps1 -CVE "CVE-2026-42897"
- For all servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
Be aware of a known cosmetic issue: The EOMT may display "Mitigation invalid for this exchange version." in the Description field. Microsoft confirms this is a cosmetic issue and the mitigation applies successfully if the status shows as "Applied".
Await the permanent fix: Microsoft is preparing a permanent patch for the vulnerability. Timeline for availability is not specified in the advisory.

Open questions

How is the vulnerability being exploited in the wild? What specific techniques or payloads are threat actors using?
Which organisations or sectors are being targeted?
Has any exploitation been successful, and if so, what was the outcome?
What is the scale of active exploitation efforts?
When will Microsoft release the permanent patch?