CISA warns of Microsoft Exchange Server flaw exploited in attacks

CISA has added a Microsoft Exchange Server vulnerability to its Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild.

The flaw, tracked as CVE-2026-42897, affects Outlook Web Access in on-premises Exchange Server. Attackers can exploit it by sending a specially crafted email that executes JavaScript in the victim’s browser when opened in OWA under certain interaction conditions.

This is not a direct server takeover bug. The risk centers on mailbox compromise, spoofing, session abuse, and user-level attacks through the OWA browser session.

What CVE-2026-42897 does

CVE-2026-42897 is a cross-site scripting issue in Microsoft Exchange Server. Microsoft classifies it as a spoofing vulnerability because the attacker can use malicious script execution in the victim’s browser context.

The exploit path starts with email. An attacker sends a crafted message to a target, and the risk appears when that message is opened in Outlook Web Access and the required interaction conditions are met.

Once triggered, attacker-controlled JavaScript can run in the authenticated OWA session. That can create a path to mailbox abuse, session token theft, message manipulation, or unauthorized mailbox setting changes.

Detail	Information
CVE	CVE-2026-42897
Product	Microsoft Exchange Server
Affected component	Outlook Web Access
Vulnerability type	Cross-site scripting and spoofing
Microsoft severity	High, CVSS 8.1
CISA KEV date added	May 15, 2026
CISA remediation deadline	May 29, 2026

Which Exchange versions are affected?

The vulnerability affects on-premises Microsoft Exchange Server deployments. Public reporting and Microsoft guidance identify Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition as affected.

Exchange Online is not listed as affected. That distinction matters because many organizations now run Microsoft 365 mailboxes, while others still maintain on-premises Exchange for mail, hybrid administration, or legacy workflows.

Organizations with any internet-facing OWA deployment should treat the issue as urgent until they confirm that Microsoft’s mitigation has been applied.

Why CISA added the flaw to the KEV catalog

CISA adds vulnerabilities to its Known Exploited Vulnerabilities catalog when there is evidence of active exploitation. That makes the listing more serious than an ordinary advisory.

Federal Civilian Executive Branch agencies must apply mitigations by May 29, 2026, under CISA’s Binding Operational Directive 22-01. Private organizations do not have the same legal requirement, but many security teams use the KEV catalog as a priority patching list.

The quick KEV listing shows that attackers are not waiting for a traditional Patch Tuesday cycle. Exchange has a long history as a high-value target, and OWA gives attackers a browser-based path into sensitive mail activity.

What attackers can do with the OWA flaw

The strongest known impact involves the user’s mailbox and browser session, not direct control of the Exchange server operating system.

A successful attack could help a threat actor read or manipulate email content, steal session material, abuse the user’s authenticated OWA context, or plant mailbox rules that support further compromise.

That can still have serious business impact. Mailbox access often gives attackers a path to business email compromise, internal phishing, invoice fraud, password reset abuse, and follow-on attacks against other services.

• Execute JavaScript in the victim’s OWA browser session.
• Abuse the authenticated mailbox context.
• Steal or misuse session-related data.
• Create or modify mailbox rules.
• Impersonate trusted users in email threads.
• Support business email compromise or phishing campaigns.

Microsoft’s mitigation guidance

Microsoft has provided mitigation options for affected Exchange Server deployments while a permanent fix is prepared.

The recommended option is the Exchange Emergency Mitigation Service. Microsoft says this service can apply emergency mitigations automatically on supported Exchange servers and is enabled by default in many environments.

Organizations that cannot use the Emergency Mitigation Service can use the Exchange On-premises Mitigation Tool. Administrators can apply the CVE-specific mitigation on individual servers or across Exchange servers through an elevated Exchange Management Shell.

Mitigation option	Use case
Exchange Emergency Mitigation Service	Recommended option for supported Exchange servers when enabled
Exchange On-premises Mitigation Tool	Manual mitigation path, including air-gapped or controlled environments
OWA exposure review	Reduce unnecessary internet-facing access while mitigation is verified
Monitoring and log review	Detect suspicious mailbox activity and abnormal OWA behavior

How administrators should respond

Administrators should first identify every on-premises Exchange Server instance, including hybrid servers that may not host active mailboxes but still expose OWA or management services.

Next, they should confirm whether the Exchange Emergency Mitigation Service is enabled and whether the CVE-2026-42897 mitigation has been applied successfully.

Security teams should also review OWA access logs, mailbox rule changes, suspicious sign-ins, unexpected email forwarding rules, and abnormal user behavior after crafted email delivery attempts.

1. Inventory every on-premises Exchange Server.
2. Check whether OWA is exposed to the internet.
3. Confirm that the Exchange Emergency Mitigation Service is enabled.
4. Apply the CVE-2026-42897 mitigation through EEMS or EOMT.
5. Review all externally reachable OWA endpoints.
6. Monitor for suspicious mailbox rules and forwarding changes.
7. Check for unusual OWA sessions and authentication patterns.
8. Prepare to deploy Microsoft’s full security update when available.

What security teams should monitor

Microsoft has not published detailed public indicators for a specific campaign. That means defenders should focus on exposure, mitigation status, and behavior-based signs of compromise.

Mailbox-focused attacks often leave traces in user activity rather than obvious server malware. Security teams should look for suspicious inbox rules, unexpected message access, strange sent mail, and sign-ins from unusual locations or devices.

Organizations should also warn users who rely on OWA to report unexpected browser behavior, suspicious prompts, or email content that appears malformed or unusual.

• Unexpected inbox forwarding rules.
• Mailbox rule changes after suspicious emails arrive.
• Unusual OWA session activity.
• Sign-ins from unexpected IP addresses or countries.
• Mailbox access outside normal working hours.
• Suspicious sent messages from trusted accounts.
• Reports of strange email rendering in OWA.

Why this Exchange flaw matters

Exchange Server remains a high-value target because email accounts hold sensitive business conversations, password reset messages, legal records, invoices, and internal documents.

Even a browser-based OWA flaw can create serious risk when attackers use it to steal session data or abuse mailbox access. The attacker may not need to compromise the Exchange server itself to cause damage.

This is why organizations should not wait for public exploit details. Once CISA adds a vulnerability to the KEV catalog, defenders should assume attackers are already testing exposed systems.

FAQ