On‑Prem Microsoft Exchange Server CVE‑2026‑42897 Actively Exploited

May 15, 2026 Faeem BLOGS, EXCHANGE, EXCHANGE 2016, EXCHANGE 2019, MICROSOFT 0

Overview Microsoft has disclosed a new vulnerability in on‑premises Exchange Server, tracked as CVE‑2026‑42897 (CVSS 8.1). The flaw, stemming from a cross‑site scripting (XSS) bug, is already under active exploitation in the wild. Attackers can weaponize crafted emails to execute arbitrary JavaScript in Outlook Web Access (OWA), enabling spoofing and potentially broader compromise.

Technical Details

  • Vulnerability Type: Spoofing via improper neutralization of input during web page generation.
  • Attack Vector:
    • Attacker sends a crafted email.
    • When opened in OWA under certain conditions, arbitrary JavaScript executes in the browser context.
  • Affected Versions:
    • Exchange Server 2016 (all updates).
    • Exchange Server 2019 (all updates).
    • Exchange Server Subscription Edition (SE).
  • Not Impacted: Exchange Online.

Exploitation

  • Microsoft tagged CVE‑2026‑42897 with “Exploitation Detected.”
  • Details on threat actors, targets, and scale remain unclear.
  • Attack relies on user interaction (opening crafted emails in OWA).

Mitigation

  • Exchange Emergency Mitigation Service (EEMS):
    • Provides automatic mitigation via URL rewrite configuration.
    • Enabled by default; if disabled, administrators should enable the Windows service.
  • Exchange On‑Premises Mitigation Tool (EOMT):
    • Download latest version from aka.ms/UnifiedEOMT.
    • Apply per server or across all servers:powershell.\EOMT.ps1 -CVE "CVE-2026-42897" Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
  • Known Issue: Mitigation may show “Mitigation invalid for this exchange version” in the description field. Microsoft confirmed this is cosmetic — if status shows “Applied,” the mitigation is successful.

Final Thought

CVE‑2026‑42897 highlights how crafted emails remain a powerful attack vector against on‑prem Exchange. With exploitation already detected, organizations must apply mitigations immediately and prepare for Microsoft’s permanent fix. For defenders, the lesson is clear: email‑borne XSS can escalate into spoofing and broader compromise if left unchecked.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.