Active Exchange Zero-Day: Unpatched OWA Vulnerability Under Exploitation

Microsoft has confirmed CVE-2026-42897, a zero-day XSS vulnerability in on-premise Exchange servers currently under active attack. With no permanent fix availa…

On May 14, 2026, Microsoft disclosed a critical zero-day vulnerability, CVE-2026-42897, affecting on-premise Exchange servers. The flaw is a cross-site scripting (XSS) vulnerability within the Outlook Web Access (OWA) component. It is currently being exploited in the wild, yet a permanent patch has not been released. Following the disclosure, CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog the next day, signaling that organizations must prioritize immediate temporary mitigations.

Key Takeaways

On May 14, 2026, Microsoft revealed CVE-2026-42897, an actively exploited XSS zero-day in on-premise Exchange Servers targeting Outlook Web Access.
No permanent patch currently exists; protection relies on temporary mitigations via the Exchange Emergency Mitigation Service (EEMS) and the Exchange On-premises Mitigation Tool (EOMT).
CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 15, 2026, setting a compliance deadline of May 29, 2026, for federal agencies.
The primary impact is mailbox compromise—including session token theft and email exfiltration—rather than full server takeover.

Mailbox Compromise via OWA XSS

The vulnerability resides in the Outlook Web Access component of on-premise installations. According to Microsoft's advisory, as reported by Dark Reading, an attacker can send a specially crafted email to a target. If the victim opens the message in OWA and specific interaction conditions are met, the browser executes arbitrary JavaScript within the context of the session.

This malicious code operates within the user's active session without requiring administrative privileges or the installation of malware on the client machine. Once the payload executes, the attacker can hijack session tokens, read correspondence, or send messages masquerading as the victim. Because the activity occurs within a legitimate session, it is often difficult for traditional endpoint protection systems to detect. The result is a silent mailbox breach that can serve as a launchpad for Business Email Compromise (BEC) campaigns.

Divergent Risk Assessments: CVSS 8.1 vs. 6.1

The severity of the bug has led to a discrepancy between major security bodies. Microsoft has assigned the vulnerability a CVSS score of 8.1, whereas NIST’s National Vulnerability Database (NVD) rated it at 6.1. This divergence is more than academic; it directly impacts how organizations prioritize remediation and how quickly security teams respond.

In corporate vulnerability management, a two-point difference on the CVSS scale can determine whether a bug is addressed over a weekend or deferred to the next maintenance cycle. Given that Microsoft has confirmed "Exploitation Detected," any delay increases the risk of a breach. Perimeter defenses are insufficient here, as the primary attack vector is a user simply reading their mail.

CISA Adds Flaw to KEV: May 29 Deadline

On May 15, 2026, CISA officially added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog. The agency set a May 29, 2026, deadline for federal agencies in the Civilian Executive Branch to apply the required mitigations. This move confirms that the threat has transitioned from a theoretical risk to observed field activity.

While CISA's mandates are only legally binding for federal agencies, they serve as a critical severity indicator for the private sector. Inclusion in the KEV catalog signals that the vulnerability is being used in real-world exploits, not just laboratory proofs-of-concept. This evidence often compels organizations to accelerate their patching schedules, particularly when the vendor admits that a permanent fix is still pending.

"isn't server compromise. It's mailbox compromise — reading mail, sending emails as the victim, stealing session tokens, planting forwarding rules that survive password resets." — Bogdan Tiron, founder of Fortbridge (via Dark Reading)

EEMS and EOMT: Microsoft’s Interim Mitigations

While a permanent fix is in development, Microsoft has released temporary countermeasures. The Exchange Emergency Mitigation Service (EEMS) can automatically deploy mitigation rules to compatible servers. For environments that do not support the automated service, the Exchange On-premises Mitigation Tool (EOMT) provides a manual alternative. Both methods aim to block the known attack vector without resolving the underlying code flaw.

Relying on these tools rather than a standard patch introduces operational complexity. Administrators must verify that servers are correctly receiving EEMS updates and that EOMT is executed with the necessary permissions. Furthermore, these mitigations may impact OWA functionality and require careful monitoring. The lack of a firm timeline for a final patch leaves on-premise environments in a state of prolonged uncertainty.

Recommended Response Actions

Deploy EEMS and EOMT: Immediately apply temporary mitigations to all affected on-premise Exchange servers following Microsoft’s advisory. Manual application via EOMT is essential for environments not managed by the automated service.
Audit Mail and Forwarding Rules: Inspect OWA configurations for unauthorized forwarding rules or message processing instructions. Rules established during a compromise can persist after a password reset and continue to exfiltrate data.
Monitor Session and Access Logs: Review OWA access logs for anomalous authentication patterns or unusual geographic locations, which may indicate hijacked session tokens.
Prepare for the Permanent Patch: These mitigations are stop-gap measures. Infrastructure teams must monitor Microsoft communication channels closely and schedule the application of the permanent fix as soon as it becomes available.

In 2026, the persistence of XSS vulnerabilities in enterprise-grade web clients highlights a growing paradox: entry-level attack techniques remain effective because on-premise perimeters have become too complex to secure with agility. The situation surrounding CVE-2026-42897 underscores a systemic divide: while cloud services receive transparent, centralized fixes, organizations maintaining their own Exchange infrastructure must navigate a manual, session-by-session race against attackers.

Frequently Asked Questions

Which versions of Exchange are affected?: The vulnerability affects on-premise installations of Exchange Server 2016, 2019, and the Subscription Edition. Exchange Online, the Microsoft-managed cloud version, is not affected.
Why did CISA set a May 29 deadline?: The agency added the flaw to the KEV catalog on May 15, 2026, in response to confirmed exploitation. Federal agencies are required to mitigate the risk within this timeframe to protect the government's attack surface.
Is the EOMT mitigation sufficient to resolve the issue?: No. EEMS and EOMT only block the known attack vector; they do not fix the underlying vulnerability. Organizations must apply the permanent patch once released and verify that their mailboxes have not already been compromised.

Information verified against cited sources and accurate at the time of publication.