Microsoft has issued an urgent advisory for CVE-2026-42897, a zero-day vulnerability in Exchange Server that is being actively exploited in the wild. The company published mitigations while a permanent patch remains in development, urging administrators running affected Exchange versions to act immediately.
Vulnerability Details
CVE-2026-42897 is a high-severity vulnerability in Exchange Server's Outlook Web Access (OWA) component. Successful exploitation allows attackers to execute arbitrary code within a victim user's browser session when the victim accesses a specially crafted email or link through OWA.
Key facts:
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-42897 |
| Severity | High |
| Component | Outlook Web Access (OWA) / Exchange Server |
| Attack Type | Cross-Site Scripting (XSS) |
| Exploitation Status | Actively exploited in the wild |
| Patch Status | Mitigations available — full patch pending |
How the Attack Works
The flaw is a reflected or stored XSS vulnerability in OWA's message rendering pipeline. An attacker can deliver a malicious payload via email — when the victim opens or previews the message in OWA, the payload executes in their browser with the permissions of their authenticated Exchange session.
From this position, an attacker can:
- Steal session tokens and hijack the victim's Exchange account
- Read, forward, or exfiltrate emails and calendar data
- Send phishing emails from the victim's account to their trusted contacts
- Pivot further into the organization using Exchange's deep integration with Active Directory
Because the attack requires only that the victim view an email in OWA, it can be highly effective in phishing campaigns targeting Exchange users.
Active Exploitation Confirmed
Microsoft confirmed the vulnerability is being exploited in active attacks. While the company has not disclosed specific threat actors or campaign details, the combination of Exchange's pervasive enterprise deployment and the low-friction XSS delivery mechanism makes this an attractive target for both nation-state actors and financially motivated groups.
Security researchers noted that Exchange zero-days have historically seen rapid weaponization following disclosure, as demonstrated by ProxyLogon (2021) and ProxyShell (2021), which led to widespread ransomware and espionage campaigns within days of patch release.
Mitigations Available Now
Until a full patch is released, Microsoft recommends the following mitigations:
1. Restrict OWA Access
Limit Outlook Web Access to internal networks or VPN-authenticated sessions only by modifying IIS binding rules or firewall policy to block external OWA access.
# PowerShell: Check current OWA virtual directory authentication settings
Get-OwaVirtualDirectory -Server <ExchangeServer> | Select-Object Server, InternalURL, ExternalURL, *Authentication*If external OWA access is required, consider deploying a Web Application Firewall (WAF) in front of the Exchange environment with rules targeting XSS payloads.
2. Enable and Enforce MFA
Multi-factor authentication limits the impact of session token theft by ensuring stolen tokens alone are insufficient for account access from new devices.
# Check MFA status for Exchange users (requires Azure AD / Entra integration)
Get-MgUser -All | Get-MgUserAuthenticationMethod3. Monitor OWA Access Logs
Review Exchange IIS logs for anomalous patterns that may indicate exploitation attempts:
# Exchange IIS log path
$logPath = "C:\inetpub\logs\LogFiles\W3SVC1\"
Get-ChildItem $logPath -Filter "*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 5
# Look for unusual URL patterns in OWA requests
Select-String -Path "$logPath\*.log" -Pattern "/owa/.*<|/owa/.*javascript:|/owa/.*%3c" | Select-Object -First 504. Apply Microsoft's Workarounds
Microsoft published specific configuration-level mitigations in the official security advisory. Review and apply all available workarounds from the Microsoft Security Response Center (MSRC) advisory for CVE-2026-42897.
Recommended Immediate Actions
- Apply published mitigations from the MSRC advisory — do not wait for a formal patch
- Restrict OWA access to VPN/internal users if operationally feasible
- Enable MFA on all Exchange-connected accounts
- Monitor Exchange logs for unusual OWA activity dating back 30 days
- Alert incident response to any anomalous account behavior
- Subscribe to MSRC alerts to receive immediate notification when the patch is available
Broader Context
Exchange Server remains one of the most targeted enterprise applications globally. Its tight integration with Active Directory means that an attacker with Exchange access can often move laterally to high-value targets quickly. Security teams should treat any unpatched Exchange vulnerability with urgency proportional to its exploitation status.
Organizations that have migrated to Exchange Online (Microsoft 365) are not affected by this on-premises vulnerability.
Source: SecurityWeek