CVE-2026-42897: Microsoft Exchange Server Zero-Day Exploited in the Wild — No Permanent Patch, CISA Deadline May 29
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
Sources: Microsoft Exchange Team · The Hacker News · Help Net Security · CISA KEV Catalog · SOCPrime · Senthorus · Security Affairs · Messageware | CVE: CVE-2026-42897 | CVSS: 8.1 High | CISA KEV: Added May 15, 2026 | Federal deadline: May 29, 2026 | Permanent patch: Not yet available
Your email server is the attack surface
Email is the most trusted communication channel in any organization. It is also, consistently, one of the most exploited. CVE-2026-42897 combines both facts into a single, actively exploited attack: an adversary sends a specially crafted email. The target opens it in Outlook Web Access. Arbitrary JavaScript — attacker-controlled code — executes inside the victim’s authenticated OWA browser session. No password required. No malware installed. No suspicious attachment. Just an email and a click.
Microsoft disclosed CVE-2026-42897 on May 14, 2026 with an immediate “Exploitation Detected” tag. CISA added it to the Known Exploited Vulnerabilities catalog on May 15, giving federal agencies a deadline of May 29 to remediate. A permanent patch is still in development. The temporary mitigation — delivered through Microsoft’s Exchange Emergency Mitigation Service — must be applied manually on servers where EEMS has been disabled.
This is one of three active Microsoft zero-days DataWater is currently tracking. MiniPlasma gives SYSTEM privileges on fully patched Windows — no patch until June 10. And the CISA Nx Console supply chain advisory documents how attacker-compromised developer machines can be used to reach email infrastructure through stolen credentials. The Verizon DBIR 2026 found that exploitation overtook credential theft as the #1 breach vector this year — CVE-2026-42897 is a live case study in exactly that shift.
| Field | Detail |
|---|---|
| CVE | CVE-2026-42897 |
| CVSS Score | 8.1 High |
| CWE | CWE-79 — Cross-Site Scripting in Outlook Web Access |
| Affected products | Exchange Server 2016 · Exchange Server 2019 · Exchange Server Subscription Edition RTM |
| Not affected | Exchange Online (Microsoft 365) |
| Attack vector | Crafted email → victim opens in OWA → JavaScript executes in authenticated browser session |
| Authentication required | None (attacker side) |
| Disclosed | May 14, 2026 — tagged “Exploitation Detected” at disclosure |
| CISA KEV added | May 15, 2026 |
| Federal deadline | May 29, 2026 (BOD 22-01) |
| Permanent patch | Not yet available — Microsoft preparing fix |
| Temporary mitigation | Exchange EEMS URL Rewrite rule — auto-applied if EEMS enabled |
The attack in plain English: one email, one click, session hijacked
Here is the full attack flow:
- Attacker sends a crafted email. No credentials needed. No access to the Exchange server. Just the ability to send an email to a valid address — achievable from any external account.
- Victim opens the email in Outlook Web Access. The vulnerability is OWA-specific. Desktop Outlook clients, Exchange ActiveSync, and other access methods are not affected. Any user who accesses OWA — including while traveling or using a personal device — is a potential target.
- “Certain interaction conditions” are met. Microsoft has not specified the exact conditions (standard practice for active exploitation scenarios). What is confirmed: real attackers have reliably triggered the vulnerability.
- Arbitrary JavaScript executes in the victim’s browser. With full access to the authenticated OWA session — reading all email, sending on behalf of the victim, accessing calendar and contacts, exfiltrating session cookies, creating silent email forwarding rules, and pivoting to any other web-based system trusting those cookies.
OWA session compromise is a reliable pivot point for business email compromise (BEC) attacks — the fraud category costing organizations more than any other cybercrime type globally. An attacker with OWA JavaScript execution on a finance team member’s session can initiate fraudulent wire transfer requests that appear to come from that person’s own account, with perfect email metadata and no indication of external origin.
This appeared two days after Patch Tuesday — a pattern worth understanding
Microsoft’s May 2026 Patch Tuesday landed on May 12, patching 138 vulnerabilities. CVE-2026-42897 was disclosed on May 14 — two days later — as a zero-day not addressed in that patch cycle. Organizations that completed their May Patch Tuesday deployment and moved on are not protected. CVE-2026-42897 requires a separate, manual action beyond the regular Patch Tuesday process. This pattern — critical Exchange flaws emerging shortly after Patch Tuesday — has recurred with ProxyLogon (2021), ProxyShell (2021), ProxyNotShell (2022), and multiple subsequent Exchange vulnerabilities. It is a structural characteristic of Exchange Server’s complexity, not an anomaly.
The EEMS mitigation: verify it applied, understand its side effects
Verify EEMS mitigation status
# Check if EEMS service is running
Get-Service -Name MSExchangeMitigation
# Check applied mitigations — look for CVE-2026-42897 with Status "Applied"
Get-Mitigations.ps1 -ExchangeServerNames $env:COMPUTERNAMEApply manually if EEMS is disabled
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"Known cosmetic issue: Microsoft confirmed the mitigation may show “Mitigation invalid for this exchange version” in the Description field. This is cosmetic — if the Status field says “Applied,” the mitigation is active.
Known side effects of the mitigation
- OWA Print Calendar functionality may not work — use desktop Outlook as workaround
- Inline images may not display correctly in the OWA reading pane — send as attachments or use desktop Outlook
- OWA light mode (/?layout=light) does not work properly — deprecated feature, not intended for production use
- OWACalendar.Proxy healthset may show unhealthy — false positive caused by the URL Rewrite rule; ignore while mitigation is active
Remediation steps
- Immediately verify EEMS mitigation status on every on-premises Exchange server. Run
Get-Mitigations.ps1and confirm CVE-2026-42897 shows status “Applied” per-server. - If EEMS is disabled on any server, apply the EOMT script manually immediately.
- Audit OWA access logs since May 14, 2026 for suspicious activity — unfamiliar IP logins, mass email access, unexpected rule creation.
- Check for malicious inbox rules on high-value accounts. Run
Get-InboxRule -Mailbox [username]on executive, finance, legal, and HR mailboxes. Look for rules forwarding externally, auto-deleting, or moving messages to obscure folders. - Review OWA internet exposure. If not all users need external OWA access, restrict to specific IP ranges via Exchange or a reverse proxy/WAF.
- Apply the permanent fix as soon as Microsoft releases it. Deploy within 24 hours. Enable EEMS on any server where it was disabled.
- Federal agencies: document compliance with BOD 22-01 by May 29, 2026.
Related DataWater coverage
- 🔴 MiniPlasma: Windows SYSTEM Zero-Day — the other active Microsoft zero-day, published the same day. Standard user → SYSTEM shell. No patch until June 10.
- 🔴 CVE-2026-0257: Palo Alto PAN-OS Auth Bypass — VPN authentication bypass giving network access. CISA KEV June 19. Active two-wave exploitation campaign.
- 🔴 CISA: Nx Console / GitHub Supply Chain — stolen developer credentials from this campaign can include Exchange admin credentials. June 10 deadline.
- 🔴 CVE-2026-34926: Trend Micro Apex One Zero-Day — security tool weaponized as delivery mechanism. CISA KEV June 4. Active exploitation confirmed.
- 🔴 CVE-2026-20182: CVSS 10.0 Cisco SD-WAN Auth Bypass — 11 threat clusters exploiting network management infrastructure. CISA Emergency Directive.
- 📊 Verizon DBIR 2026 — exploitation now the #1 breach vector. BEC attacks from OWA session compromise are a top ransomware enabler. The macro context for this vulnerability.
- 🔴 Dead.Letter (CVE-2026-45185): Exim CVSS 9.8 RCE — the Linux mail server equivalent. One SMTP sequence, unauthenticated RCE. AI built the exploit in 7 days.
Sources and further reading
- Microsoft Exchange Team — Addressing Exchange Server May 2026 Vulnerability CVE-2026-42897 (official)
- The Hacker News — On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
- Help Net Security — Unpatched Microsoft Exchange Server Vulnerability Exploited
- Senthorus — Deep Dive: CVE-2026-42897 Spoofing Vulnerability in Microsoft Exchange OWA
- Security Affairs — CVE-2026-42897: Microsoft Confirms Active Exploitation
- CISA — Known Exploited Vulnerabilities Catalog
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #14 — May 19, 2026. Browse the full threat brief series. Next: TanStack → GitHub Supply Chain Breach (May 21) · Previous: MiniPlasma Windows Zero-Day (May 19).
