Full Report
On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. [...]
Analysis Summary
# Vulnerability: Microsoft Exchange Server Spoofing and Remote Code Execution via XSS
## CVE Details
- CVE ID: CVE-2026-42897
- CVSS Score: High (Specific numerical score not provided in article, but designated as high-severity)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-Site Scripting)
## Affected Systems
- Products: Microsoft Exchange Server
- Versions:
- Exchange Server 2016 CU23
- Exchange Server 2019 CU14 and CU15
- Exchange Server Subscription Edition (SE) RTM
- Configurations: Systems running Outlook on the Web (OWA) that have not applied the latest emergency mitigations. Servers must be running at least the March 2023 update to utilize automated mitigation services.
## Vulnerability Description
CVE-2026-42897 is a high-severity spoofing vulnerability that manifests as a Cross-Site Scripting (XSS) flaw. The vulnerability exists in how Exchange Server handles specially crafted emails within Outlook on the Web (OWA). By sending a malicious email, an attacker can trigger the execution of arbitrary JavaScript in the context of the victim's browser session. While categorized as "spoofing" by Microsoft, the primary technical risk is the execution of arbitrary code via XSS.
## Exploitation
- Status: Exploited in the wild (Zero-day)
- Complexity: Medium (Requires victim interaction to open the email)
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Attacker can steal session tokens and sensitive user data)
- Integrity: High (Attacker can execute actions on behalf of the user/admin)
- Availability: Low/Medium (Depending on the actions taken within the script context)
## Remediation
### Patches
- **Not yet available.** Microsoft plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14/CU15.
- **Note:** Updates for Exchange 2016 and 2019 will only be accessible to customers enrolled in the Period 2 Extended Security Update (ESU) program.
### Workarounds
- **Exchange Emergency Mitigation Service (EEMS):** Ensure EEMS is enabled. It will automatically apply interim mitigations to connected servers.
- **Exchange On-premises Mitigation Tool (EOMT):** For air-gapped or manually managed environments, download EOMT and run the following via an elevated Exchange Management Shell:
- *Single server:* `.\EOMT.ps1 -CVE "CVE-2026-42897"`
- *All servers:* `Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"`
## Detection
- **Indicators of Compromise:** Unusual JavaScript activity originating from OWA sessions; suspicious emails containing obfuscated scripts or unconventional HTML tags.
- **Detection methods:** Monitor EEMS logs to verify if the mitigation has been successfully applied. Review web server logs for OWA for suspicious URI patterns or script injections.
## References
- Microsoft Exchange Team Advisory: hxxps[://]techcommunity[.]microsoft[.]com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- BleepingComputer Report: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/
- Microsoft EEMS Documentation: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/new-microsoft-exchange-service-mitigates-high-risk-bugs-automatically/