Microsoft Exchange OWA Zero-Day Under Active Attack: How to Mitigate CVE-2026-42897 Right Now While Waiting for the Patch

Exchange on-premises administrators arriving at the office today have an urgent task on their list. Microsoft has confirmed active exploitation of CVE-2026-42897, a zero-day in Outlook Web Access (OWA) of Exchange Server that allows an unauthenticated attacker to execute malicious JavaScript in the browser of any user who opens a specially crafted email. No permanent patch is available. The only defence today is the emergency mitigation Microsoft deployed on 14 May. CISA added it to the KEV catalog on 15 May with a federal remediation deadline of 29 May.

‍

What do we know about the CVE-2026-42897 zero-day in Microsoft Exchange?

• Vulnerability: cross-site scripting (XSS) in Outlook Web Access (OWA) of Exchange Server on-premises. Microsoft classifies it as a spoofing vulnerability.
• CVSS 8.1 — the attacker requires no prior authentication or server access. The attack starts in an inbox.
• Affected versions: Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition (SE). Exchange Online and Microsoft 365 are NOT affected.
• Attack vector: specially crafted email → user opens it in OWA → malicious JavaScript executes in the victim’s browser context → session hijacking, credential theft, email access and lateral movement.
• Timing: surfaced 48 hours after May 2026 Patch Tuesday, which patched 137 vulnerabilities with no zero-days in its release notes.
• Active exploitation confirmed: Microsoft confirmed real-world attacks but has not disclosed details about threat actors or targeted organisations.
• CISA KEV: added 15 May. Federal deadline: 29 May 2026.
• No permanent patch: in preparation for Exchange SE RTM, Exchange 2016 CU23 and Exchange 2019 CU14/CU15. Patches for 2016 and 2019 will only be available to customers enrolled in Extended Security Updates (ESU).

‍

Why Exchange on-premises is the highest-priority target for attackers

1. Direct access to high-value internal communications. Compromising Exchange gives access to all corporate email: executive conversations, credentials sent via email, sensitive documents and remote access configurations.
2. Low-noise lateral movement vector. A compromised Exchange server can be used to send apparently legitimate internal emails, create mailbox rules that silently exfiltrate messages to external accounts, and pivot to other network systems.
3. High-durability persistence. Exchange servers are rarely rebooted, their logs are less monitored than domain controllers, and malicious mailbox rules can survive undetected for months.
4. History of mass exploitation. ProxyLogon and ProxyShell compromised tens of thousands of servers worldwide. CISA’s KEV catalog already lists nearly two dozen Exchange CVEs. CVE-2026-42897 follows the same pattern.

‍

How this attack works: from email to server compromise

1. Email with XSS payload prepared: the email contains specially crafted HTML content with the malicious JavaScript payload, exploiting inadequate input neutralisation in OWA’s web page generation.
2. Delivery to the inbox: no prior server access is required. The delivery channel is the corporate mail system itself.
3. Opening in OWA: when the message is rendered in the browser, under certain interaction conditions, arbitrary JavaScript executes in the context of the victim’s active OWA session.
4. Authenticated session access: the attacker can steal session tokens, read and exfiltrate emails, create malicious mailbox rules (silent forward to external account) and execute actions on behalf of the victim within OWA.
5. Post-exploitation: NTLM relay, access to internal directories and lateral movement to other corporate network systems.

‍

Key lessons and mitigation checklist: what your team must do right now

Step 1 — Verify exposure (immediate)

• Confirm which Exchange Server on-premises versions your organisation runs. All are affected.
• Verify whether OWA is internet-facing. The greater the public exposure, the greater the urgency.
• Check whether the Exchange Emergency Mitigation Service (EEMS) is enabled via the Exchange Admin Center or PowerShell.

Step 2 — Mitigation A: EEMS (recommended, automatic)

• EEMS is enabled by default on Exchange 2016, 2019 and SE. If enabled, Microsoft automatically deploys the M2.1.x mitigation via URL rewrite on the server.
• To verify correct application: run the Exchange Health Checker available at aka.ms/ExchangeHealthChecker
• If EEMS was disabled: enable it now via PowerShell: Set-ExchangeDiagnosticsInfo -Server [Server] -Process MSExchangeServiceHost -Component MitigationService -Enabled $true

Step 3 — Mitigation B: EOMT.ps1 for air-gapped or EEMS-less environments

• Download the latest Exchange On-premises Mitigation Tool (EOMT) and run it from an elevated Exchange Management Shell.
• Single server: .​EOMT.ps1 -CVE “CVE-2026-42897”
• Full fleet: Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .​EOMT.ps1 -CVE “CVE-2026-42897”

Step 4 — Known side effects (communicate to users)

• OWA Print Calendar may not work. Workaround: screenshot or Outlook Desktop client.
• Inline images in the OWA reading pane may not display correctly. Workaround: send images as attachments or use Outlook Desktop.
• OWA light (URL ending in ?layout=light) does not work — deprecated feature, no production impact.

Step 5 — Monitoring (this week)

• Enable SIEM alerts on unusual OWA traffic and requests with suspicious URL parameters.
• Review OWA logs from the past 7 days for anomalous requests that may indicate exploitation attempts prior to mitigation.
• Look for recently created mailbox rules forwarding email to unrecognised external addresses.

Step 6 — Patching plan (29 May as reference deadline)

• Prepare an update window to apply the permanent patch once available for your version.
• For Exchange 2016 and 2019: verify Extended Security Updates (ESU) enrolment status.
• Use 29 May as the deadline to have mitigation verified and patching plan documented.

‍

Cybersecurity as a strategic priority

CVE-2026-42897 is yet another Exchange zero-day under active exploitation in under five years. The pattern is invariable: Exchange on-premises concentrates access to high-value corporate communications, is internet-facing in thousands of organisations, and its patching cycles are slow. That combination makes it a permanent first-order target.

For Spanish organisations running Exchange on-premises — especially public administrations, financial institutions and professional services SMEs — today’s mitigation is mandatory. Tomorrow’s patching plan too.

‍

Apolo Cybersecurity: protecting on-premises Exchange environments and responding to active zero-days

At Apolo Cybersecurity we help organisations running Exchange on-premises verify EEMS status, apply EOMT, review suspicious mailbox rules, detect post-exploitation activity in Exchange, and plan the permanent patch rollout once available.

If your organisation runs Exchange on-premises and you are not certain that the M2.1.x mitigation has been correctly applied, this Monday morning is the time to verify it. Not Tuesday.

‍