Microsoft released a permanent patch on June 9, 2026, for CVE-2026-42897, a cross-site scripting (XSS) zero-day vulnerability in the Outlook Web Access (OWA) component of Exchange Server. The flaw has been actively exploited since at least mid-May. While the Patch Tuesday update closes the primary attack vector, the company explicitly recommends maintaining the temporary Exchange Emergency Mitigation Service (EEMS) released last month as a secondary defense layer.
- CVE-2026-42897 carries a CVSS 8.1 HIGH score with confirmed in-the-wild exploitation: impact C:H/I:H/A:N, XSS vector in OWA requiring "certain interaction conditions."
- Affected Products: Exchange Server 2016, 2019, and Subscription Edition (SE); Exchange Online is not affected.
- Microsoft released the EEMS mitigation in mid-May 2026, followed by the permanent patch on June 9; both remain recommended for simultaneous deployment.
- Internet Explorer and Microsoft Edge in IE Mode bypass EEMS protections because they do not support Content Security Policy (CSP), leaving legacy environments exposed.
The Mechanism: Turning an Email into Code Execution
The vulnerability resides in the OWA rendering engine. According to the Microsoft advisory, "an attacker could exploit this issue by sending a specially crafted email to a user." The insufficiently sanitized JavaScript payload executes within the victim's browser context upon opening the message, provided the "certain interaction conditions" cited in official documentation are met.
The vector is purely client-side. The impact is classified as C:H/I:H, representing a total loss of confidentiality and integrity within the session context. Arbitrary JavaScript operates with the privileges of the authenticated OWA page. The lack of impact on availability (A:N in the CVSS vector) does not mitigate the severity: a compromised OWA session is often equivalent to full mailbox access.
From Emergency Mitigation to Patch: A Month Under Pressure
Microsoft activated its first line of defense in mid-May 2026 via the Exchange Emergency Mitigation Service (EEMS), automatically distributing a Content Security Policy (CSP) based mitigation to block malicious payload execution. On May 15, CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog, setting a May 29 patching deadline for U.S. federal agencies.
The June Patch Tuesday finalized the official updates. However, Microsoft’s recommendation remains hybrid: "We recommend that customers keep the mitigation described in place. The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released."
"Microsoft recommends installing the June 2026 Security Updates for your version of Exchange Server as soon as possible to be protected from this vulnerability" — Exchange Team/Microsoft
The Legacy Browser Gap: IE Mode Leaves the Door Open
The EEMS mitigation relies on Content Security Policy, a mechanism that Internet Explorer and Microsoft Edge in IE Mode do not implement. The official MSRC FAQ is unambiguous: "No, because Content Security Policy (CSP) is not supported by Internet Explorer nor Microsoft Edge using Internet Explorer Mode. To stay protected, please make sure to not use Internet Explorer (Mode) to access OWA."
This represents a critical operational fracture. Numerous enterprise organizations maintain IE Mode for legacy applications, inadvertently using the Trident rendering engine for modern services like OWA. Consequently, these endpoints remain vulnerable even with EEMS active and the patch installed. Microsoft’s recommendation—to avoid using IE Mode for OWA—is clear but lacks technical enforcement.
The side effects of the EEMS mitigation, documented in Rescana’s analysis, add further complexity: the loss of the "Print Calendar" function in OWA, issues with inline images, and incompatibility with OWA Light mode. Organizations that disabled EEMS to resolve these functional issues remained exposed to the zero-day for an entire month until the June 9 release.
Required Actions
- Immediately install the June 2026 updates for Exchange Server 2016, 2019, and SE; the patch is permanent but does not replace the EEMS mitigation.
- Keep the EEMS mitigation active as an additional defensive layer, in accordance with explicit Microsoft guidance.
- Audit and block OWA access via Internet Explorer or Edge in IE Mode, as these browsers do not support CSP and bypass EEMS protections.
- Verify that the Print Calendar function and inline images are restored after installing the permanent patch, while monitoring for any regressions.
Historical Context: Why Exchange Remains a Primary Target
Structural data highlights a persistent trend: 20 Exchange vulnerabilities have been added to the CISA KEV catalog over the last five years, 14 of which were utilized by ransomware gangs. CVE-2026-42897 is not an outlier; it confirms that on-premises mail servers remain high-value critical assets.
The June 2026 Patch Tuesday addressed 200 total flaws, including six zero-days. The density of critical vulnerabilities in Exchange reflects the complexity of the codebase and its attractiveness to threat actors. Email access remains one of the most effective initial compromise vectors for both cybercrime and potential espionage operations.
Microsoft’s decision to maintain EEMS alongside the permanent patch signals a conservative risk management strategy. The company does not guarantee that the June fix is the final word; the phrase "as further improvements are released" implies the fix cycle may not be concluded. For administrators, this means monitoring Exchange advisories remains mandatory even after updates are applied.
Information has been verified against cited sources and is current as of the time of publication.
Sources
- https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/
- https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/
- https://www.rescana.com/post/cve-2026-42897-zero-day-analysis-microsoft-exchange-server-owa-xss-vulnerability-exploited-in-the-wild
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
- https://www.helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/
- https://pcper.com/2026/06/nightmare-eclipse-and-microsoft-continue-their-fight-over-zero-days/
- https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2024-21182&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
- https://www.helpnetsecurity.com/2023/07/25/cve-2023-35078/