What is CVE-2026-42897?
CVE-2026-42897 is a cross-site scripting vulnerability in the Outlook Web Access (OWA) interface of on-premises Microsoft Exchange Server. Microsoft disclosed the flaw on May 14, 2026, two days after the May 2026 Patch Tuesday release, and confirmed it is being actively exploited in the wild. An anonymous researcher is credited with reporting the issue.
The vulnerability carries a CVSS v3.1 base score of 8.1 (High) under Microsoft's scoring. Exploitation requires user interaction but no attacker authentication. The attack proceeds by sending a specially crafted email to a target user; when the user opens that email in OWA and certain interaction conditions are met, attacker-controlled JavaScript executes in the victim's browser session against the Exchange domain. The flaw is rooted in improper neutralization of input during web page generation, the standard underlying weakness behind reflected and stored XSS.
CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, requiring Federal Civilian Executive Branch agencies to apply mitigations by May 29, 2026. Microsoft has tagged the issue with an "Exploitation Detected" assessment but has not disclosed details of the in-the-wild campaigns.
What assets are affected by CVE-2026-42897?
The vulnerability affects on-premises Microsoft Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) RTM. Exchange Online is not affected. Older unsupported builds such as Exchange Server 2010 fall outside the supported scope of Microsoft's response but are likely vulnerable in practice, and they will not receive the automatic mitigation described below.
In practice, an affected asset is an internet-facing OWA endpoint: a web mail interface published over HTTPS, typically at the network perimeter or in front of a hybrid Exchange environment. These endpoints sit at the center of corporate communication, hold session context for user mailboxes, and authenticate against domain identity. That combination makes the post-exploit blast radius considerably larger than a generic browser-context XSS would suggest. Token theft, mailbox access, and onward phishing from compromised accounts are all plausible follow-on actions.
OWA endpoints are widely exposed by design. Many organizations that have otherwise migrated mail workloads to Exchange Online retain on-premises Exchange for hybrid coexistence, legacy mailbox migration, or specific compliance workloads, and those servers tend to remain internet-facing because OWA is part of how end users access mail externally.
What does our data show about exposure patterns?
Exposure in this set is led by Industrials at 22.1% of observed Exchange assets, with Consumer Discretionary contributing 12.8%.
Industrials' concentration reflects how the sector deploys email infrastructure. Aerospace, defense, transport, professional services, and large industrial conglomerates frequently run on-premises or hybrid Exchange to satisfy regulatory, data residency, or operational requirements that pure cloud mail does not always meet. Those environments often carry multiple Exchange instances across business units and geographies, accumulated over decades of acquisitions and integrations, which keeps the externally exposed surface broader than a single-tenant cloud deployment would produce.
Across the cross-sector pattern, the consistent driver is incomplete migration off on-premises Exchange. Many of the observed assets sit in organizations that have moved most of their mailboxes to Microsoft 365 but retain a small on-premises footprint for hybrid identity, public folders, or migration coexistence. Those residual servers are easy to overlook in patching cadence because they no longer serve the bulk of user mail, but they remain part of the authenticated email surface and remain reachable on the same OWA path.
Are fixes available?
Partial patches available. Microsoft has not yet released a permanent code fix for CVE-2026-42897 at the time of writing. In place of a binary patch, Microsoft is shipping automatic mitigation through the Exchange Emergency Mitigation Service (EEMS), under mitigation ID M2.1.x, which applies to Exchange Server 2016, 2019, and SE. EEMS is enabled by default on supported Exchange builds released since March 2023; organizations running older builds need to update Exchange before EEMS can apply the mitigation.
Customers without EEMS coverage can apply the mitigation manually through the Exchange On-Premises Mitigation Tool (EOMT) using the script Microsoft has published alongside the advisory. Verification is available through the Exchange Health Checker (aka.ms/ExchangeHealthChecker), whose HTML report includes an EEMS check section that confirms whether the mitigation has been applied.
Defenders should treat this vulnerability as actively exploited and unpatched at the binary level until a permanent fix ships. Confirm status directly with Microsoft's advisory rather than rely on assumptions about update channels.
Are there any other recommended actions to take?
Enable Exchange Emergency Mitigation Service if it has been turned off, bring Exchange Server to a build that supports EEMS, and run EOMT manually where EEMS cannot be applied. Audit OWA logs for anomalous JavaScript execution patterns and suspicious mail flow originating from internal accounts that may indicate post-exploitation activity. Restrict OWA access from untrusted networks where the business permits it, and tighten content security policy on the OWA host as a defense-in-depth measure during this window.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-42897 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
