HIGH: Microsoft Exchange Server XSS Flaw CVE-2026-42897 Under Active Attack

The hits keep coming for on-premises Exchange administrators. CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, just two days after Microsoft shipped the patch on May Patch Tuesday. That timeline tells you everything you need to know about how this one is being treated. Federal civilian agencies have until May 29 to remediate, and the rest of us should not interpret the absence of a personal deadline as permission to take our time.

The flaw lives in Microsoft Exchange Server 2016, Exchange Server 2019, and the new Subscription Edition. Exchange Online customers can exhale because the cloud service is not affected. Everyone running the on-prem product across all cumulative updates needs to read the rest of this carefully.

CVE-2026-42897 is a cross-site scripting vulnerability in the Outlook Web Access surface of Exchange. Microsoft scored it CVSS 8.1, while NIST landed at a more modest 6.1, and that gap is worth a moment of explanation. The vector string from Microsoft reads CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, treating the impact on confidentiality and integrity as high. NIST scored the same primitive but treated the scope as changed with low impact, an artifact of how the two organizations interpret browser-context script execution. In the real world, the Microsoft number is closer to what defenders care about because it describes what an attacker actually walks away with.

The attack itself is the kind of thing that should have been impossible after the last twenty years of XSS lessons, but here we are. An attacker crafts an email containing payload that, when the message is rendered inside OWA, executes arbitrary JavaScript in the victim's browser session. No clicks on attachments are required beyond opening the message. No authentication on the attacker's end is needed because they are sending mail like anyone else. The user interaction is simply reading email, which is the entire purpose of the platform. Once that script fires, it inherits the victim's authenticated OWA session and can read mailboxes, send messages, exfiltrate contents, and pivot to whatever else the user has access to inside the tenant.

What makes this particularly dangerous is the spoofing angle that Microsoft flags in the CWE-79 classification. An attacker can use the foothold to send mail that appears to come from the compromised user, with all the legitimate trust signals baked in. Executive impersonation, finance department wire fraud, and lateral phishing inside the organization all become trivial. The crafted email becomes both the delivery vehicle and the payload generator for whatever the attacker wants to do next.

Microsoft's own assessment tags this as Exploitation Detected, which is their language for confirmed in-the-wild abuse. The discoverer was credited as anonymous, a detail that often correlates with vulnerabilities first surfaced by intrusion responders rather than coordinated researchers. No threat actor attribution has been published, and Microsoft has not shared indicators of compromise or telemetry on the volume of attacks. That should not be reassuring. It usually means the campaigns are either targeted enough to fly under the radar or recent enough that public reporting has not caught up.

The patch shipped on May 13 as part of the monthly security update bundle. For Exchange Server 2016, that means the latest cumulative update with the May 2026 security update layered on top. For Exchange Server 2019, the May security update applies on top of CU14 or later. The Subscription Edition picks up the fix through its normal servicing channel. Microsoft has stated that older cumulative updates are out of support and will not receive the fix, which means anyone still running outdated CUs has bigger problems than this single CVE.

For organizations that cannot patch immediately, Microsoft's Exchange Emergency Mitigation Service handles part of the load automatically. EEMS is enabled by default on supported versions and pulls down server-side mitigations for actively exploited vulnerabilities. Administrators can confirm the service is running by checking the MSExchangeMitigation service state. The standalone Exchange On-premises Mitigation Tool, called EOMT, is available as a manual fallback for environments where EEMS has been disabled or where outbound connectivity to Microsoft's mitigation feed has been blocked. Neither of these is a replacement for the actual patch, and Microsoft has been clear that the security update is the only thing that fully resolves the vulnerability.

Detection ideas worth chasing this weekend include reviewing OWA logs for unusual message rendering activity tied to inbound mail from external senders, looking for outbound mail flows from user accounts that deviate from baselines after a suspicious inbound message, and hunting for new client rules or forwarding addresses created shortly after the user opened webmail. The script payload executes in the user's context, so any persistence the attacker establishes through Exchange itself, such as transport rules, mailbox delegations, or inbox rules, becomes a useful artifact. Endpoint logs on the OWA client machines are less helpful because the malicious activity happens server-side within the user's session, but unusual session token usage or API calls against the EWS endpoint from unexpected source addresses are worth correlating.

The harder operational question for many shops is whether they should still be running Exchange on premises at all. Microsoft has been pushing the migration to Exchange Online for years, and the steady drumbeat of on-prem Exchange vulnerabilities, from ProxyLogon in 2021 through ProxyShell and every quarter since, makes the case for itself. Subscription Edition is the new long-term home for customers who must remain on premises for regulatory or sovereignty reasons, but even that product inherits the same attack surface that has made Exchange a perennial favorite of nation-state and ransomware actors. The economics of running your own mail server keep getting worse, and CVE-2026-42897 is another data point on a curve that has been bending in one direction for a while.

Every customer running on-prem Exchange is a candidate for a thirty day emergency patch sprint and a longer conversation about Microsoft 365 migration. Managed service providers who have been waiting for a fresh catalyst to revisit migration plans now have one with a CISA KEV entry and a federal mitigation deadline attached. Beyond the migration pitch, the immediate revenue opportunity is a paid Exchange health check that confirms patch status across the customer base, validates that EEMS is enabled, audits OWA usage patterns, and surfaces any forgotten Exchange servers hiding in branch offices or disaster recovery sites. Those forgotten servers are the ones that get owned, and finding them before an attacker does is the kind of work that justifies retainer hours.

For customers who insist on staying on premises, the conversation shifts to compensating controls. Web Application Firewall coverage on the OWA front end, mandatory multi-factor authentication on every user account, conditional access that constrains OWA to managed devices, and email gateway filtering that strips active content from inbound mail before it ever reaches the mailbox are all defensible upsells. None of those individually would have stopped CVE-2026-42897 cold, but each layer cuts the blast radius of the next one.

The closing point is the boring one that keeps getting repeated because it keeps being right. Patch Exchange this weekend. Verify the patch took. Confirm EEMS is healthy. Hunt for signs of post-exploitation in mailboxes that handle anything valuable. And then start the migration conversation, because this CVE will not be the last one.