Organizations running on-premises Microsoft Exchange Server are facing a five-day-old zero-day with no permanent fix in sight and a growing list of side-effects from the only protection currently available. Microsoft confirmed on May 14 that CVE-2026-42897 — a cross-site scripting flaw in the Outlook Web Access component of Exchange Server 2016, 2019, and Subscription Edition — is under active exploitation in the wild. An attacker needs only to send a crafted email; if the recipient opens it in OWA, arbitrary JavaScript executes inside their authenticated browser session, enabling session token theft, mailbox impersonation, and email rule manipulation without the attacker ever touching the server itself. No permanent patch exists. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on May 15, giving Federal Civilian Executive Branch agencies until May 29 to apply mitigations.
One Crafted Email Gives Attackers Full Session Control — Without Touching the Server
Cross-site scripting vulnerabilities are often dismissed as low-severity web nuisances. CVE-2026-42897 illustrates why that assumption is wrong when the target is an enterprise mail server. The attack chain begins entirely outside the target organization: an unauthenticated attacker sends a specially crafted email. No prior foothold, no stolen credential, and no network access is required. When the victim opens that message in OWA and certain interaction conditions are met, the Exchange server reflects attacker-controlled JavaScript back into the browser session, executing in the context of the victim's authenticated OWA session.
Bogdan Tiron, founder of penetration testing firm Fortbridge, described the impact in a LinkedIn post: the risk is not server compromise but mailbox compromise — reading mail, sending messages as the victim, stealing session tokens, and planting email forwarding rules that persist even after password resets. Tiron warned that this class of flaw "still owns enterprise mail in 2026," noting that attackers continue to rely on cross-site scripting for precisely this reason: it works. "The boring vulnerabilities are the ones that keep working," he wrote.
The Centre for Cybersecurity Belgium, in an advisory issued May 18, documented the same risk pathway: successful exploitation results in session token capture, identity spoofing, unauthorized mailbox access, and modification of email content and settings. Captured session tokens can then be used to pivot into other Microsoft 365 services tied to the same identity — SharePoint, Teams, and cloud storage — without triggering a fresh authentication challenge.
The flaw carries a CVSS score of 8.1. Microsoft confirmed active exploitation on the same day as disclosure, May 14. CISA moved within 24 hours to add it to the Known Exploited Vulnerabilities catalog, a list reserved for flaws with confirmed active exploitation in the wild.
Microsoft's Emergency Mitigation Carries New Gaps Disclosed on May 18
Microsoft deployed a temporary fix through its Exchange Emergency Mitigation Service on May 14. The service pushes a URL rewrite configuration automatically to Exchange Mailbox servers where it is enabled, which it is by default on supported Exchange builds. Administrators can verify that mitigation ID M2 has been applied by running the Exchange Health Checker script, which produces an HTML report with a dedicated EEMS check section.
For air-gapped or disconnected environments where the service cannot reach Microsoft's servers, the Exchange On-premises Mitigation Tool provides a manual alternative, deployed through an elevated Exchange Management Shell.
However, Microsoft updated its advisory on May 18 with a series of new known issues, expanding a list that was already growing. After applying the mitigation, the OWA Print Calendar feature stops working entirely; Microsoft's workaround is to copy calendar data, take a screenshot, or switch to the Outlook desktop client. Inline images no longer display correctly in recipients' OWA reading panes, with the workaround being to send images as attachments or use the desktop client. The legacy OWA Light interface — accessed via a URL ending in /?layout=light — also stops working, though Microsoft notes it was deprecated years ago and is not intended for production use. The OWACalendar.Proxy healthset begins reporting as unhealthy, which can flood monitoring platforms with false alerts; Microsoft advises suppressing those alerts until the permanent fix is released.
Most significantly, the May 18 update added an explicit note that the mitigation does not protect users accessing OWA through Internet Explorer or Microsoft Edge in Internet Explorer compatibility mode. Organizations that still route OWA access through legacy IE-based clients — common in some regulated and government environments — remain fully exposed even after applying the fix.
A Patch Tuesday Miss Followed by Five Days Without a Fix
The timing of the disclosure carries its own significance. Microsoft's May 2026 Patch Tuesday, issued two days before the CVE-2026-42897 disclosure, addressed 138 separate vulnerabilities. None of them was CVE-2026-42897. The zero-day was disclosed separately on May 14, meaning the flaw either was not known internally at patch finalization or was held from the batch cycle. Microsoft has not explained the timing gap.
As of May 19, Microsoft has not disclosed the identity of the threat actor behind the attacks, the specific organizations targeted, or the scale of exploitation. The CISA KEV designation, issued within 24 hours of disclosure, signals that exploitation was confirmed and active at the moment of disclosure, not discovered afterward. Exchange Server has historically attracted rapid attention from both nation-state operators and financially motivated ransomware groups, because the email server sits at the center of organizational communications and is frequently internet-facing.
Exchange Server 2016 and 2019 customers should also be aware that the permanent patch for those versions will be delivered only through Microsoft's Extended Security Update program. Period 1 ESU customers are ineligible, as that program ended in April 2026, and will not receive the fix through that channel.
What Administrators Should Do Before the Permanent Patch Arrives
Organizations running on-premises Exchange Server 2016, 2019, or Subscription Edition should first confirm whether the Exchange Emergency Mitigation Service is enabled and has applied mitigation M2. The Exchange Health Checker script, available from Microsoft at aka.ms/ExchangeHealthChecker, produces an HTML report with a dedicated EEMS check section.
If EEMS is unavailable — because the server cannot reach Microsoft's infrastructure, or because the Exchange version predates the March 2023 cumulative update — the Exchange On-premises Mitigation Tool must be applied manually for each affected server.
Any organization routing OWA access through Internet Explorer or Edge in IE compatibility mode must treat the current mitigation as incomplete. The May 18 advisory explicitly confirmed those clients remain unprotected. Restricting or redirecting IE-mode OWA access until the permanent fix is available is the only current option for those environments.
Beyond the mitigation, organizations should review whether OWA needs to remain publicly internet-facing during the window before the permanent patch arrives. Restricting OWA access behind a virtual private network or conditional access gateway eliminates the externally reachable attack surface entirely. Monitoring for anomalous OWA session activity — unusual geographic access, bulk email reads, or newly created forwarding rules — can surface exploitation that has already occurred, since applying the mitigation does not remediate any prior compromise.
Microsoft has not announced a release date for the permanent patch. Based on the standard monthly cadence, the next Patch Tuesday falls on June 10, 2026.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
