Microsoft Fixes Actively Exploited Exchange Server OWA Vulnerability
6 min. read 
Published on
Microsoft has patched an actively exploited Exchange Server vulnerability that can let attackers run malicious JavaScript in Outlook Web Access through a specially crafted email.
The flaw is tracked as CVE-2026-42897 and affects on-premises Exchange Server deployments. Exchange Online customers are already protected, but organizations that still run Exchange Server locally need to verify mitigation and patch status.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft first disclosed the issue in its May Exchange Server guidance. The company later included the permanent fix in the June 2026 Exchange Server Security Updates.
CVE-2026-42897 Targets Outlook Web Access
CVE-2026-42897 is a cross-site scripting issue in Exchange Outlook Web Access, also known as OWA. It stems from improper neutralization of input during web page generation.
An unauthenticated attacker can send a specially crafted email to a target. If the target opens the message in OWA and the required interaction conditions are met, attacker-controlled JavaScript can run in the browser context of the logged-in user.
The NVD entry lists Microsoft’s CVSS 3.1 score as 8.1 high and identifies the weakness as CWE-79. NVD also notes that the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog.
| Item | Details |
|---|---|
| CVE | CVE-2026-42897 |
| Product | Microsoft Exchange Server |
| Affected component | Outlook Web Access |
| Vulnerability type | Cross-site scripting and spoofing |
| Microsoft CVSS score | 8.1 high |
| Exploitation status | Exploitation detected |
| Exchange Online | Already protected |
Weaponized Email Makes the Flaw Dangerous
The attack path is concerning because the payload can arrive as email. The victim does not need to install malware or open an executable attachment for the OWA rendering path to become relevant.
Successful exploitation can let an attacker execute JavaScript in the user’s browser session. That can support spoofing, session abuse, phishing inside a trusted mail interface, or other actions that depend on the victim’s OWA context.
Microsoft’s Exchange Team post said the issue affects on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. The company said it had detected exploitation before the permanent fix was available.
June Security Updates Include the Permanent Fix
Microsoft released the permanent fix on June 9, 2026. The company said its June 2026 Exchange Server Security Updates address CVE-2026-42897 along with other Exchange Server vulnerabilities.
The updates are available for Exchange Server Subscription Edition RTM, Exchange Server 2019 CU14 and CU15, and Exchange Server 2016 CU23. For Exchange Server 2016 and 2019, access requires enrollment in Microsoft’s Period 2 Extended Security Update program.
Microsoft also warned that Exchange Emergency Mitigation and feature flighting services will not be able to use new configuration files released in July 2026 or later unless Exchange servers are updated to the June 2026 update level or newer.
| Exchange version | June 2026 update | Important note |
|---|---|---|
| Exchange Server Subscription Edition RTM | KB5094139 | Available for Exchange SE |
| Exchange Server 2019 CU15 | KB5094140 | Requires ESU access for Exchange 2019 |
| Exchange Server 2019 CU14 | KB5094142 | Requires ESU access for Exchange 2019 |
| Exchange Server 2016 CU23 | KB5094144 | Requires ESU access for Exchange 2016 |
Mitigation Still Matters After Patching
Before the security updates, Microsoft’s short-term defense relied on the Exchange Emergency Mitigation Service, also called EEMS. The service can automatically apply IIS URL Rewrite mitigation rules on supported Exchange servers.
The downloadable Exchange On-Premises Mitigation Tool can also apply CVE-specific mitigations for disconnected or restricted environments. Administrators can verify applied mitigations with Exchange Health Checker and Exchange mitigation status commands.
Microsoft’s June update guidance says installing the June update does not automatically remove already applied CVE-2026-42897 mitigations. Microsoft recommends keeping the mitigation in place for now as an added layer of protection.
Known OWA Issues Can Follow the Mitigation
The mitigation can cause side effects in some OWA features. Microsoft documented customer reports around calendar printing, inline image display, OWA Light, published calendars, and OWACalendar proxy health monitoring.
Those problems come from the mitigation layer, not from the permanent CVE fix itself. Microsoft says the June update fixes CVE-2026-42897, but organizations may still see mitigation-related behavior until they remove or block the mitigation after patching.
Admins should handle that step carefully. Removing the mitigation before installing the June security update can reopen exposure on affected servers.
Exchange 2016 and 2019 Customers Face a Support Deadline
Exchange Server 2016 and Exchange Server 2019 have already reached end of support. Microsoft says organizations enrolled in the Extended Security Update program remain eligible for 2016 and 2019 security updates during the covered period.
The Exchange Server 2019 CU15 update includes the CVE-2026-42897 fix and other Exchange vulnerability fixes. Organizations not enrolled in ESU need to move to Exchange Server Subscription Edition to keep receiving future security updates.
The Exchange Server 2016 CU23 update also resolves the CVE-2026-42897 spoofing vulnerability, but it is only useful for organizations that still meet Microsoft’s ESU requirements.
- Install the June 2026 Exchange Server security update for your supported branch.
- Confirm whether EEMS applied the CVE-2026-42897 mitigation.
- Keep the mitigation in place unless you have installed the June update and accept the risk of removing it.
- Use Exchange Health Checker to verify update status and required follow-up actions.
- Review OWA access logs and mailbox activity for suspicious messages or unusual browser-side behavior.
- Migrate unsupported Exchange 2016 and 2019 deployments to Exchange Server Subscription Edition if ESU is not available.
Admins Should Patch Before Troubleshooting OWA Side Effects
Organizations should treat CVE-2026-42897 as an urgent on-premises Exchange Server issue because Microsoft has confirmed real-world exploitation and CISA has added it to its exploited-vulnerability catalog.
The Exchange Server SE update gives Subscription Edition customers the cleanest path to the permanent fix. Legacy Exchange 2016 and 2019 customers should confirm ESU access or move to Exchange SE.
For exposed OWA deployments, the priority order is simple: keep mitigation active, install the June update, verify the server state, and then decide whether any mitigation removal is necessary to restore affected OWA functionality.
FAQ
CVE-2026-42897 is a Microsoft Exchange Server spoofing vulnerability tied to cross-site scripting in Outlook Web Access. It can allow attacker-controlled JavaScript to run in a victim’s browser when a specially crafted email is opened in OWA under certain conditions.
Yes. Microsoft marked CVE-2026-42897 as exploitation detected, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog.
No. Microsoft says Exchange Online customers are already protected. The issue is relevant to organizations running on-premises Exchange Server.
Microsoft released June 2026 security updates for Exchange Server Subscription Edition RTM, Exchange Server 2019 CU14 and CU15, and Exchange Server 2016 CU23. Exchange 2016 and 2019 updates require ESU eligibility.
Microsoft recommends keeping the mitigation in place for now as an additional defense layer. If administrators remove it after installing the June update, they should first follow Microsoft’s guidance to block it from being reapplied and then remove the mitigation rules carefully.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages