Full Report
Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. "
Analysis Summary
# Vulnerability: Microsoft Exchange Server Spoofing and XSS Flaw
## CVE Details
- **CVE ID:** CVE-2026-42897
- **CVSS Score:** 8.1 (High)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting')
## Affected Systems
- **Products:** Microsoft Exchange Server (On-Premises)
- **Versions:**
- Exchange Server 2016 (all update levels)
- Exchange Server 2019 (all update levels)
- Exchange Server Subscription Edition (SE) (all update levels)
- **Configurations:** Systems utilizing Outlook Web Access (OWA). Exchange Online is **not** affected.
## Vulnerability Description
This is a cross-site scripting (XSS) vulnerability that allows an unauthorized attacker to perform spoofing over a network. The flaw stems from improper neutralization of input in the web interface. An attacker can execute arbitrary JavaScript code in the context of the user's browser by sending a specially crafted email that the victim must open in Outlook Web Access (OWA).
## Exploitation
- **Status:** Exploited in the wild ("Exploitation Detected").
- **Complexity:** Medium (Requires user interaction/specific conditions).
- **Attack Vector:** Network (Email-based).
## Impact
- **Confidentiality:** High (Ability to execute arbitrary scripts in the user's session).
- **Integrity:** High (Ability to spoof content and perform actions as the user).
- **Availability:** Low.
## Remediation
### Patches
- Microsoft is currently **readying a permanent fix**; a standard security update is not yet available at the time of the report.
### Workarounds
- **Exchange Emergency Mitigation Service (EEMS):** Enabled by default, this service automatically applies a URL rewrite configuration to mitigate the flaw. Ensure the Windows service is running.
- **Exchange on-premises Mitigation Tool (EOMT):** For air-gapped or manual environments:
1. Download the tool from hxxps[://]aka[.]ms/UnifiedEOMT.
2. Run via Exchange Management Shell: `.\EOMT.ps1 -CVE "CVE-2026-42897"`
## Detection
- **Indicators of Compromise:** Look for unauthorized JavaScript execution in OWA sessions or suspicious URL patterns in web server logs.
- **Verification:** When using EOMT, if the status says "Applied" but the description says "Mitigation invalid for this exchange version," Microsoft confirms this is a **cosmetic bug** and the mitigation is indeed active.
## References
- **MSRC Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-42897
- **Exchange Team Blog:** hxxps[://]techcommunity[.]microsoft[.]com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- **EEMS Documentation:** hxxps[://]learn[.]microsoft[.]com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service