TP-EXP-2026-0287 CVE-2026-42897 high Mitigated AI Draft

Microsoft Exchange Server Cross-Site Scripting Vulnerability (CVE-2026-42897)

CVE CVE-2026-42897 Platform Microsoft Exchange Server Outlook Web Access Type Cross-Site Scripting

Severity HIGH

Status Mitigated

Zero-Day Confirmed

Disclosed May 14, 2026

CISA KEV Listed

Severity Assessment

Exploitability: 7/10 — Network-accessible with no authentication or privileges required; exploitation requires user interaction (opening a crafted email in OWA).
Impact: 8/10 — Arbitrary JavaScript execution in an authenticated OWA browser session; Microsoft CNA CVSS 3.1 reflects high confidentiality and integrity impact (C:H/I:H).
Weaponization Risk: 8/10 — CISA KEV and MSRC confirm exploitation; exploitation uses email delivery and Outlook Web Access user interaction rather than direct server-side code execution.
Patch Urgency: 9/10 — No permanent patch available as of advisory publication; temporary mitigation via Exchange Emergency Mitigation Service with CISA federal remediation deadline of 2026-05-29.
Detection Coverage: 5/10 — Browser-side XSS execution is difficult to observe from the network perimeter; email gateway inspection and EEMS mitigation logs provide the most reliable signals.

Summary

CVE-2026-42897 is a cross-site scripting vulnerability (CWE-79) in the Outlook Web Access component of Microsoft Exchange Server. The vulnerability stems from improper neutralization of input during web page generation. An unauthorized attacker can exploit it by sending a specially crafted email to a target user; if the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript executes in the browser context. The Microsoft Security Response Center classifies the impact as Spoofing.

Microsoft assigned a CVSS 3.1 base score of 8.1 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, reflecting high confidentiality and integrity impact. The National Vulnerability Database assigned a base score of 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N under a changed-scope model. Affected configurations documented by NVD include Microsoft Exchange Server 2016 and Exchange Server 2019.

The vulnerability was not publicly disclosed prior to vendor publication. MSRC confirmed exploitation was detected at the time of advisory release. CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on 2026-05-15, establishing a federal remediation deadline of 2026-05-29. CISA records ransomware campaign use as Unknown.

As of the MSRC advisory publication, Microsoft had not released a permanent patch. A temporary mitigation is being delivered automatically through the Exchange Emergency Mitigation Service (EEMS mitigation M2), which applies an IIS URL Rewrite rule to affected Exchange Server instances. Microsoft stated that a permanent fix was in development and testing.

Exploit Chain

Stage 1: Email Delivery

An attacker composes and sends a specially crafted HTML email to a user whose mailbox resides on a vulnerable Microsoft Exchange Server 2016 or Exchange Server 2019 instance. No authentication to the target organization is required to submit the email.

Stage 2: User Interaction in Outlook Web Access

The target user opens the crafted email in Outlook Web Access. MSRC specifies that exploitation occurs when the user opens the email in OWA and certain interaction conditions are met; the exact interaction conditions have not been publicly detailed.

Stage 3: Unsanitized Input Rendered in Browser

Because Exchange Server does not adequately neutralize the attacker-supplied input before including it in the generated web page, the malicious content is reflected into the OWA page within the user’s authenticated browser session.

Stage 4: Arbitrary JavaScript Execution

The browser interprets and executes the attacker-controlled JavaScript within the OWA origin context. With script running in an authenticated session, the attacker can perform actions consistent with the MSRC-described spoofing impact, constrained to the browser context of the affected user.

Detection Guidance

Email gateway:

Scan inbound HTML email bodies for JavaScript content, encoded script payloads, and inline event handler attributes (e.g., onload, onerror, onmouseover) that could trigger browser execution when rendered in OWA.
Flag or quarantine messages with atypical HTML structures targeting webmail rendering behaviors.

Host and IIS:

Review IIS access logs on Exchange servers for anomalous request patterns to OWA endpoints, particularly requests with unusual query parameters or POST bodies.
Monitor Exchange Emergency Mitigation Service logs for application and reapplication of mitigation M2 (IIS URL Rewrite rule for CVE-2026-42897) to confirm EEMS is operating correctly on each Mailbox server.
Verify EEMS is installed and enabled on all Exchange Server 2016 and 2019 Mailbox role servers; EEMS requires the September 2021 or later Cumulative Update and outbound connectivity to the Office Configuration Service.

User-session review:

Where browser telemetry is available, review reports of unexpected script execution, redirects, or page-content changes occurring immediately after a user opens an email in Outlook Web Access.

Indicators of Compromise

No specific network-layer indicators have been publicly identified for this vulnerability. The attack surface is within the user’s browser session, limiting observable network-level artifacts.

Email indicators:

Inbound HTML messages containing embedded <script> blocks, JavaScript URI schemes (javascript:), or event handler attributes referencing external resources or data-exfiltration endpoints.

Browser indicators:

Unexpected JavaScript execution, redirects, or page-content changes occurring within an active OWA session after opening an email.

IIS log indicators:

OWA endpoint responses that include reflected script content not present in normal Exchange-generated page output.
Repeated requests to OWA paths with parameters matching known XSS probe patterns.

EEMS indicators:

Exchange Emergency Mitigation Service log entries confirming application of mitigation M2 for CVE-2026-42897 on Exchange Server 2016 and Exchange Server 2019 Mailbox servers; absence of this log entry on a server that should receive automatic mitigations warrants investigation.

Disclosure Timeline

2026-05-14 — Vendor and NVD Publication

Microsoft Security Response Center published the advisory for CVE-2026-42897. MSRC noted the vulnerability had not been publicly disclosed prior to this publication and that exploitation had been detected. The National Vulnerability Database published its entry the same day.

2026-05-15 — NVD Initial Analysis and CISA KEV Addition

NVD completed its initial analysis and updated the entry with CVSS scoring and affected configuration data. CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog with a required federal agency remediation date of 2026-05-29, confirming active exploitation in the wild.

2026-05-29 — CISA BOD 22-01 Federal Remediation Deadline

Federal agencies subject to Binding Operational Directive 22-01 are required to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-15
National Vulnerability Database: CVE-2026-42897 Detail — National Vulnerability Database, 2026-05-14
Microsoft Security Response Center: CVE-2026-42897 Security Advisory — Microsoft Security Response Center, 2026-05-14
Microsoft Learn: Exchange Emergency Mitigation Service — Microsoft Learn, 2026-05-14