Exchange Server Zero-Day CVE-2026-42897 Targets Outlook Web Access

Microsoft disclosed CVE-2026-42897 on May 14, 2026, two days after Patch Tuesday. It is a cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) that attackers are already exploiting in the wild. There is no patch available. If your business runs on-premises Exchange Server and employees access email through a web browser, you need to act this week.

The vulnerability affects Exchange Server Subscription Edition, Exchange Server 2016, and Exchange Server 2019. Attackers send specially crafted emails that, when opened in OWA, execute malicious JavaScript in the victim’s browser session. That JavaScript can steal email contents, harvest credentials, and pivot to other systems within your organization.

What OWA Is and Why It Matters

Outlook Web Access is the browser-based email interface for on-premises Microsoft Exchange Server. Instead of using the desktop Outlook application, employees open a web page (typically something like mail.yourcompany.com) to read and send email. Many businesses use OWA as a convenience for remote workers, personal devices, or situations where the full Outlook client is unavailable.

The problem is that OWA is often exposed directly to the internet. If your employees can log in from any browser, anywhere, then so can an attacker’s crafted email payload. Unlike a vulnerability in the desktop Outlook client, an OWA exploit runs inside the browser, which means standard endpoint detection tools may not see it happening.

How the Attack Works

The attack chain is straightforward, which is part of what makes it dangerous.

1. The attacker sends a crafted email to a user whose mailbox is on a vulnerable Exchange Server.
2. The user opens that email in OWA through their browser. No attachment download is required. No link click is required. Simply rendering the email in the OWA interface is enough to trigger the exploit under certain conditions.
3. Malicious JavaScript executes inside the user’s authenticated browser session. The script runs with the same permissions the user has in OWA.
4. The attacker harvests data. Depending on the payload, this can include reading email, forwarding messages to an external address, stealing session cookies, or injecting content that tricks the user into entering credentials.

Because the JavaScript runs inside an already-authenticated session, the attacker does not need to crack passwords or bypass multi-factor authentication. The user has already authenticated. The exploit rides on top of that legitimate session.

Who Is Affected

Three Exchange Server versions are vulnerable:

• Exchange Server Subscription Edition (all current builds)
• Exchange Server 2019 (all cumulative updates)
• Exchange Server 2016 (all cumulative updates)

If your organization has already migrated to Exchange Online (Microsoft 365), you are not affected by this specific vulnerability. Exchange Online uses a different codebase for its web interface, and Microsoft has confirmed that the cloud-hosted service is not vulnerable to CVE-2026-42897.

If you are unsure whether your business runs on-premises Exchange or Exchange Online, ask your IT team. The distinction matters. If employees access email through outlook.office.com or outlook.office365.com, that is Exchange Online. If they access it through a URL on your company’s own domain, it is likely on-premises Exchange with OWA.

What Microsoft Recommends Right Now

Because no patch exists yet, Microsoft has published mitigation guidance rather than a fix. Their recommendations include:

• Enable Emergency Exchange Mitigation Service (EEMS). EEMS is a feature built into Exchange Server that allows Microsoft to push temporary mitigations automatically before a full patch is available. If you have not enabled EEMS, you are missing mitigations that Microsoft may have already published for this vulnerability. Microsoft’s EEMS documentation explains how to enable it.
• Apply the latest cumulative update. While the CU does not fix CVE-2026-42897, it ensures your server is on a supported baseline and has previous security fixes applied. Running an outdated CU compounds your risk.
• Follow the specific mitigation guidance published in the CVE advisory. Microsoft may release IIS URL rewrite rules or configuration changes that reduce the attack surface for this specific exploit vector.

These mitigations reduce risk, but they do not eliminate it. Until Microsoft releases a patch, the underlying vulnerability remains in the OWA codebase.

What Your Business Should Do This Week

Beyond Microsoft’s official guidance, there are practical steps your IT team or managed IT provider should take immediately.

Audit Your OWA Exposure

Determine whether OWA is accessible from the internet. If your Exchange Server’s web interface is reachable from any browser on any network, your attack surface is at its widest. Many businesses set up OWA years ago for remote access and never revisited that decision, even after deploying VPN or other remote access tools.

If OWA must remain internet-facing, ensure it sits behind a web application firewall (WAF) that can inspect and filter malicious payloads before they reach the Exchange Server.

Restrict OWA Access Where Possible

If your employees primarily use the desktop Outlook client or Outlook mobile apps, consider temporarily disabling OWA or restricting it to internal network access only. This is the single most effective mitigation because it removes the attack vector entirely. Desktop Outlook connects to Exchange using MAPI over HTTPS or Exchange Web Services, which are different protocols that are not affected by this XSS vulnerability.

Talk to your IT team about whether disabling OWA would cause significant operational disruption. For many businesses, the answer is no, since most users are on the Outlook desktop or mobile client already.

Watch for Indicators of Compromise

Work with your IT provider to review Exchange Server logs for signs that this vulnerability has already been exploited. Look for unusual JavaScript execution in OWA, unexpected mail forwarding rules, new inbox rules created without user action, or session anomalies. If you use a managed SIEM or SOC service, your provider should be correlating Exchange logs against known indicators for CVE-2026-42897.

Brief Your Employees

Let your team know that email opened in the browser (OWA) carries additional risk right now. If desktop Outlook or mobile Outlook is available, they should use that instead until a patch is released. This is not about scaring people. It is about giving them a clear, simple action they can take to reduce exposure.

Accelerate Your Cloud Migration Evaluation

If your business has been considering a move from on-premises Exchange to Microsoft 365 and Exchange Online, this vulnerability is a concrete data point in that decision. On-premises Exchange requires your IT team to manage patching, security configurations, and mitigations for every vulnerability that surfaces. Exchange Online shifts that responsibility to Microsoft, which patches its infrastructure without requiring action from your team.

This is not the first on-premises Exchange zero-day. Exchange has been a high-value target for years, with significant vulnerabilities disclosed regularly. Each one requires the same cycle: read the advisory, determine if you are affected, apply mitigations, wait for a patch, deploy the patch, and verify it worked. With Exchange Online, that cycle is handled by Microsoft before you read the first news article about it.

Migration is not trivial, and there are legitimate reasons some businesses keep Exchange on-premises, including compliance requirements, data residency, and integration with legacy systems. But for most SMBs, the operational and security burden of maintaining on-premises Exchange outweighs those concerns. If you have been putting off the evaluation, CVE-2026-42897 is a good reason to start.

How This Connects to Our Zero-Day Response Process

We wrote recently about how our team responds when a critical zero-day drops, covering the process from initial SOC detection through asset identification, mitigation, patching, and client communication. CVE-2026-42897 is going through that same process right now for every Infonaligy client running on-premises Exchange.

The difference between having a managed security provider and handling this internally is the speed and coverage of the response. Our SOC flagged CVE-2026-42897 within hours of disclosure. Our RMM platform identified every client environment running affected Exchange Server versions. Mitigations are being deployed, and when Microsoft releases a patch, it will be tested and pushed to every affected system through the same process we described in that post.

If your IT provider has not contacted you about CVE-2026-42897 yet, and you run on-premises Exchange, that silence is worth questioning.