ProBackend
cybersecurity
Jun 19, 20268 min read

Microsoft Patches Exchange Server Zero-Day CVE-2026-42897 Exploited in Active Attacks

Microsoft has patched CVE-2026-42897, a high-severity spoofing vulnerability affecting Exchange Server 2016, 2019, and Subscription Edition that allows remote attackers to execute arbitrary JavaScript in cross-site scripting attacks against Outlook Web Access users.

Percy Caldwell

Microsoft has patched CVE-2026-42897, a high-severity spoofing vulnerability affecting Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users.

This vulnerability has been actively exploited in the wild, prompting urgent patching guidance from Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA). The issue was first addressed through Microsoft's Exchange Emergency Mitigation Service (EEMS) in mid-May 2026, followed by the release of official security updates in June 2026.

In this article, we provide a comprehensive overview of CVE-2026-42897, including technical details, exploitation methods, mitigation steps, and recommendations for Exchange administrators.

Technical Background: How CVE-2026-42897 Works

CVE-2026-42897 is a cross-site scripting vulnerability that affects Exchange Server's handling of email content. An attacker could exploit this issue by sending a specially crafted email to a target user. When the user opens the malicious email in Outlook Web Access (OWA) and certain interaction conditions are met, arbitrary JavaScript can be executed within the browser context.

Vulnerability Details

  • CVE Identifier: CVE-2026-42897
  • Affected Products: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition
  • Attack Vector: Malicious email with crafted content
  • Required Privileges: None (remote, unauthenticated attacker)
  • Impact: Arbitrary JavaScript execution in OWA context

The vulnerability stems from improper sanitization of email content before it is rendered in the OWA interface. When a user views the malicious email, specially crafted HTML or JavaScript code within the email can execute with the privileges of the authenticated OWA session, potentially leading to:

  • Session hijacking
  • Theft of email content and attachments
  • Unauthorized access to user data
  • Installation of malware or backdoors
  • Lateral movement within the network

Microsoft's Initial Response: Exchange Emergency Mitigation Service (EEMS)

Microsoft first addressed this vulnerability through its Exchange Emergency Mitigation Service (EEMS) in mid-May 2026. EEMS automatically applies temporary mitigations to protect Exchange environments even before official security updates are available.

The Exchange Team released the following guidance on May 2026:

"An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context."

This early mitigation approach allowed Microsoft to provide immediate protection while developing and testing the official security update.

Evidence of Active Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026. This addition triggered mandatory patching requirements for U.S. government agencies.

CISA KEV Catalog Entry

CISA's KEV catalog entry includes the following key information:

  • Date Added to KEV Catalog: May 15, 2026
  • Reported Active Exploitation: Confirmed by CISA
  • Required Action: Patch within 2 weeks of catalog addition
  • Due Date for Agencies: May 29, 2026

Historical Context: Exchange Server Vulnerabilities

Over the past five years, CISA has added 20 Microsoft Exchange Server vulnerabilities to its KEV catalog. Notably:

  • 14 of 20 Exchange Server vulnerabilities in the KEV catalog have been exploited by ransomware gangs
  • October 2025: CISA and NSA released hardening guidance after Exchange Server 2016 and 2019 reached end-of-support
  • Ongoing Pattern: Exchange Server remains a high-priority target for threat actors due to its prevalence and the sensitive data it handles

This vulnerability continues a troubling trend where Exchange Server vulnerabilities are actively weaponized before official patches are available, forcing organizations into reactive security postures.

Microsoft's Official Response and Guidance

Microsoft released official security updates for CVE-2026-42897 in June 2026. The company provided comprehensive guidance to administrators on deployment and mitigation.

Official Security Updates

Microsoft's security update guidance included the following key recommendations:

  1. Deploy June 2026 Security Updates immediately: Microsoft advised administrators to install the security updates for their specific Exchange Server version "as soon as possible."

  2. Leave Existing Mitigations in Place: Even after patching, Microsoft recommended keeping the EEMS mitigations active as they provide an additional layer of defense.

  3. Continuous Protection: Microsoft emphasized that the mitigation service provides "continuous protection as further improvements are released."

The company's messaging reflected the severity of the vulnerability and the active exploitation threat:

"As part of our ongoing efforts to strengthen security and improve defenses across environments, we continue to enhance protections for cross-site scripting attacks."

Patching Guidance by Version

Administrators need to apply the appropriate security update for their Exchange Server version:

  • Exchange Server 2016: Apply June 2026 Cumulative Update
  • Exchange Server 2019: Apply June 2026 Cumulative Update
  • Exchange Server Subscription Edition: Apply June 2026 Monthly Update

Verification Steps After Patching

After applying the security update, administrators should:

  1. Restart Exchange Services: Ensure all Exchange services restart cleanly
  2. Verify Update Installation: Check the build number matches the patched version
  3. Test OWA Functionality: Confirm users can access Outlook Web Access without issues
  4. Review Event Logs: Look for any Exchange-related errors in Windows Application logs
  5. Monitor Attack Statistics: Watch for continued exploitation attempts that may indicate incomplete patching or additional vulnerabilities

Patching Checklist for Exchange Administrators

Follow this comprehensive checklist to address CVE-2026-42897 in your environment:

Pre-Patching Preparation

  • Inventory Exchange Servers: Document all Exchange Server instances, including versions, roles, and service packs
  • Review Backup Status: Ensure recent backups exist for all Exchange servers before patching
  • Schedule Maintenance Window: Plan the patching during a maintenance window with minimal user impact
  • Test in Lab Environment: If possible, test the update in a non-production environment first
  • Notify Stakeholders: Inform users about potential service interruptions during the patching window

Patching Steps

  • Download Security Updates: Obtain the June 2026 security updates from Microsoft Update Catalog or Windows Server Update Services (WSUS)
  • Apply Updates: Install the security update on each Exchange Server, following Microsoft's recommended order
  • Verify Installation: Run Get-ExchangeServer | select Name,AdminDisplayVersion to confirm the correct build number
  • Restart Services: Reboot each server after patching to complete the update process
  • Re-enable Mitigations: Ensure EEMS mitigations remain active as additional protection

Post-Patching Verification

  • Test OWA Access: Verify users can log in to Outlook Web Access without errors
  • Check Mail Flow: Confirm email delivery and routing functions normally
  • Review Security Logs: Look for any signs of attempted exploitation in the last 30 days
  • Update Security Monitoring: Ensure SIEM/SOAR rules detect this vulnerability's exploitation patterns
  • Document Completion: Record patching dates, server names, and verification results

Emergency Recovery Plan

If issues occur during patching:

  1. Rollback to Previous State: Use Windows Server backup or Exchange database recovery
  2. Re-enable Mitigations: Ensure EEMS protections are active while troubleshooting
  3. Contact Microsoft Support: Open a support case if issues cannot be resolved in-house
  4. Alternative Communication Plan: Prepare alternative email solutions if recovery takes extended time

Threat Actor Outlook and Attack Patterns

Based on the historical pattern of Exchange Server vulnerabilities, threat actors are likely to:

Attack Vectors Expected

  1. Spear-Phishing Campaigns: Targeting executives and key personnel with malicious emails
  2. Bulk Email Campaigns: Casting wide net to infect multiple Exchange servers simultaneously
  3. Supply Chain Attacks: Compromising email content through third-party integrations
  4. Zero-Click Exploitation: If exploitable without user interaction, attacks will scale rapidly

Potential Attack Goals

  • Credential Theft: Harvesting user credentials through OWA session manipulation
  • Data Exfiltration: Extracting sensitive emails, attachments, and contact lists
  • Lateral Movement: Using compromised accounts to access other network resources
  • Persistence: Installing backdoors for continued access after initial compromise
  • Ransomware Deployment: Using compromised Exchange servers as attack launchpoints

Mitigation Strategies Beyond Patching

While patching is the primary remediation, organizations should implement additional layers of defense:

Network-Level Protections

  • Deploy email security gateways that scan for known XSS payloads
  • Implement content inspection for HTML emails before they reach OWA
  • Use network-based intrusion detection systems (NIDS) to identify exploitation attempts
  • Configure firewall rules to limit unnecessary inbound SMTP connections

Exchange-Specific Hardening

  • Disable unnecessary Exchange features and services
  • Apply the principle of least privilege to all Exchange accounts
  • Enable auditing for administrative actions on Exchange servers
  • Implement multi-factor authentication (MFA) for all admin accounts
  • Regularly review and audit Exchange permissions

Monitoring and Detection

  • Deploy endpoint detection and response (EDR) solutions on Exchange servers
  • Monitor OWA access logs for unusual patterns or successful XSS events
  • Set up alerts for failed patch installations or service interruptions
  • Analyze email headers and content for signs of crafted payloads
  • Implement security information and event management (SIEM) correlation rules

CVE-2026-42897 is part of a larger trend of Exchange Server vulnerabilities that include:

See our guide on Exchange zero-day vulnerability response for organizational preparedness.

Lessons Learned

  1. Patch Management: Organizations must prioritize patching Exchange servers quickly
  2. Defense in Depth: Relying solely on patches is insufficient; multiple protections are needed
  3. Continuous Monitoring: Active monitoring for exploitation attempts can detect attacks early
  4. Incident Response Planning: Prepare response plans for zero-day vulnerabilities in critical infrastructure

Conclusion

CVE-2026-42897 represents a significant threat to Exchange Server environments, particularly those that have not been patched with the June 2026 security updates. The active exploitation status, as confirmed by CISA's KEV catalog, demands immediate attention from all organizations running affected Exchange Server versions.

The key takeaways for Exchange administrators are:

  1. Deploy the June 2026 Security Update immediately for your specific Exchange Server version
  2. Keep EEMS mitigations active even after patching for additional protection
  3. Verify the update installation through build number checks and functionality testing
  4. Review historical exploitation patterns to understand likely threat actor TTPs
  5. Implement layered defenses beyond patching, including network-level protections and continuous monitoring

Organizations that delay patching risk exposure to sophisticated threat actors who have already demonstrated the ability to exploit this vulnerability. The combination of Microsoft's official guidance, CISA's mandatory compliance requirements, and active exploitation in the wild makes this a critical priority for all Exchange Server administrators.

For additional information and to download the security updates, visit Microsoft's Security Update Guide or consult your Microsoft licensing representative for enterprise support options.

See also: CISA KEV catalog for tracking known exploited vulnerabilities.

Introduction

Related blogs

cybersecurity

Rokarolla Android Trojan Levels Up to Full Device Control

The malware, spread via fake TikTok and Chrome downloads, demonstrates an evolution by combining banking fraud with surveillance and remote control capabilities.

Jun 19, 2026 · 5 mincybersecurity

New Shai-Hulud attack trojanizes 19 science-focused PyPI packages

Hackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud supply-chain attack that delivered malware designed to steal developer secrets. The malicious packages masqueraded as legitimate science and research tools, bypassing security scans by hiding payloads in obfuscated code that only activates during specific runtime conditions.

Jun 19, 2026 · 6 mincybersecurity

Cisco SD-WAN Zero-Day (CVE-2026-20245) - Root Privilege Escalation Vulnerability

High-severity unpatched vulnerability in Cisco Catalyst SD-WAN Manager actively exploited for root privilege escalation. CVE-2026-20245 enables attackers to escalate privileges, install backdoors, and manipulate network traffic. Immediate mitigation steps and patch timeline.

Jun 19, 2026 · 4 min
More engineering analysis and backend guidance from ProBackend.
More blogs