Exchange Zero-Day CVE-2026-42897 Hits On-Prem Mail

On May 14, 2026, Microsoft shared a fresh hole in on-prem Exchange Server. The bug, tracked as CVE-2026-42897, sits inside Outlook Web Access. In short, one crafted email can run JavaScript in the victim's signed-in mailbox. The Exchange zero-day has a CVSS score of 8.1. Also, it sits on the CISA KEV list. The federal fix deadline is May 29, 2026.

So if you run Exchange 2016, 2019, or Subscription Edition on your servers, this one is for you. However, Exchange Online is safe.

Key Takeaways

• What it is - CVE-2026-42897 is a high-risk spoofing flaw rooted in cross-site scripting inside Exchange OWA.
• How it triggers - The attacker emails a target. Then, when the victim opens it in OWA, JavaScript runs.
• Who is at risk - On-prem Exchange Server 2016, 2019, and Subscription Edition. By contrast, Exchange Online is safe.
• Active use - Microsoft and CISA confirmed the Exchange zero-day was in active exploitation within 24 hours.
• Fix path - First, turn on the EEMS auto-fix. Or use EOMT for air-gapped servers. After that, a full patch will follow.

Table of Contents

• What Is the Exchange Zero-Day CVE-2026-42897?
• How Attackers Exploit the Exchange Zero-Day
• Which Server Versions This Exchange Zero-Day Affects
• Microsoft's Emergency Fix for the Exchange Zero-Day
• CISA KEV Catalog and the May 29 Deadline
• Known Issues After You Apply the Fix
• How to Spot an Exchange Zero-Day Compromise on Your Server
• Hardening Checklist for Exchange Admins
• Summary
• Frequently Asked Questions

What Is the Exchange Zero-Day CVE-2026-42897?

CVE-2026-42897 is a spoofing flaw. It comes from a cross-site scripting bug in the OWA part of on-prem Exchange. Microsoft shared it on May 14, 2026. That was the same day it showed up in the wild. In short, that is what a zero-day means.

According to the NVD entry for CVE-2026-42897, the root cause is poor input handling. In plain English, OWA takes unsafe email content. Then it treats it like trusted HTML. As a result, the browser runs any script the attacker placed in the message.

For example, the CVSS 3.1 base score is 8.1 (High). The attack vector is network. Also, attack complexity stays low under the right conditions. Furthermore, the bug needs no rights on the server.

Why "spoofing" still means real risk

Microsoft calls the bug spoofing, not remote code. That label fits, because the script runs in the user's browser. It does not run on the server. However, the result is still bad. For instance, an attacker can read the user's mail. They can send mail as that user. They can also pivot to other apps that share single sign-on. In a business setup, that often means lateral moves into SharePoint, Teams, and identity tools.

How Attackers Exploit the Exchange Zero-Day

The attack chain is short and ugly. Below is the flow the security world pieced together from response notes.

1. First, the attacker sends a crafted email to a target inbox.
2. Next, the victim signs in to OWA. They open the message.
3. Then the bad payload slips past OWA's filter. So JavaScript runs in the signed-in session.
4. Finally, the script can read mail, steal tokens, send messages, or pull more code.

According to BleepingComputer's report on the live campaign, just opening the email in OWA is enough. So there are no links to click. There are no macros to turn on. There are no files to open. As a result, that low bar makes this Exchange zero-day so risky.

Have you trained your users on phishing in the last 90 days? However, even good training will not stop this one. The trigger is just the act of opening a normal email.

Why the OWA reading pane is the trigger

OWA shows HTML email inside the user's signed-in session. As a result, browsers trust any script in that page. The script can read mail. Also, it can send requests as the user. Finally, it can reach session cookies the page can touch. In short, that trust is what the CVE breaks.

Which Server Versions This Exchange Zero-Day Affects

This Exchange zero-day hits every supported on-prem Exchange release. So the vendor advisory lists three product lines.

• Exchange Server 2016 CU23 - the last supported update for the 2016 line.
• Server 2019 CU14 and CU15 - both current and prior updates are in scope.
• Subscription Edition (SE) RTM - the new line that replaced 2016 and 2019.
• Exchange Online - not impacted. Microsoft 365 mailboxes run on a cloud stack with the fix in place.

However, one wrinkle matters. According to the Microsoft Exchange Team blog, the final patch only ships to firms in Period 2 ESU. Period 1 ESU ended in April 2026. As a result, if you skipped that renewal, you will not get a fix. You need to migrate.

Microsoft's Emergency Fix for the Exchange Zero-Day

Microsoft shipped two fix paths the same day they shared the Exchange zero-day. So both block the exploit while Microsoft works on a full patch.

Option 1: Exchange Emergency Mitigation Service (EEMS)

EEMS is the easy path. If your server runs EEMS, the guard is in place already. For instance, Microsoft pushed the fix on May 14. Connected servers picked it up in hours.

To check that EEMS runs, open Exchange Management Shell. Then type:

Get-ExchangeServer | Format-List Name, IsExchangeEmergencyMitigationServiceEnabled, MitigationsApplied

You want to see the fix listed under MitigationsApplied with the matching CVE ID.

Option 2: Exchange On-premises Mitigation Tool (EOMT)

However, your servers may not reach Microsoft's update service. For instance, air-gapped or restricted networks. So grab the latest EOMT from aka.ms/UnifiedEOMT. Then run it by hand. The tool applies the per-CVE fix on a single server. With a small wrapper script, it works across the whole org.

Either way, do this today. Microsoft confirmed live use. Also, federal teams face a May 29 deadline.

CISA KEV Catalog and the May 29 Deadline

On May 15, 2026, CISA added CVE-2026-42897 to its KEV catalog. As a result, this move triggers BOD 22-01. So federal civilian agencies must apply the required fix by May 29, 2026.

According to SecurityWeek's report on the CISA listing, the agency cited live use as the trigger for urgent status.

However, the KEV deadline only binds federal teams. For private firms, it is a strong signal. Delay carries real risk. So use the same deadline as your in-house SLA.

Known Issues After You Apply the Fix

However, the fix breaks a small number of OWA features. Microsoft lists these known issues so admins can plan ahead.

• Print Calendar in OWA may not work until Microsoft ships the full patch.
• Inline images in the OWA reading pane might not show for some users.
• OWA Light (the URL ending in ?layout=light) does not work well with the fix in place.

Still, none of these are show-stoppers for most teams. So if users flag missing inline images, send them to the desktop Outlook client until the final fix lands.

How to Spot an Exchange Zero-Day Compromise on Your Server

You should assume nothing. The Exchange zero-day was live before Microsoft shared it. So look for signs of past abuse. Do not just plan for future cover.

For example, start with these checks on every public-facing Exchange server.

1. IIS access logs - hunt for odd GET and POST requests to OWA endpoints from outside IP addresses. Also look for long query strings.
2. Exchange transport logs - filter for messages with HTML that include <script> tags or odd data-attribute payloads.
3. OWA event logs - check for session hijack signs. For instance, one user account opening from two countries in the same hour.
4. Auth logs - look for OAuth tokens that OWA issued. Then check which scripts used them shortly after.
5. Outbound mail spikes - sudden bursts of email from a single user can flag post-exploit mass mailing.

If you find any signs, treat the mailbox as hit. For instance, reset the user's password. Revoke active sessions. Rotate any service account secrets the user could reach. Also, scan their endpoints.

Hardening Checklist for Exchange Admins

Beyond the quick fix, the Verizon 2026 DBIR flagged a sobering trend. Bug-based attacks now drive 36% of breach access. So they beat stolen logins for the first time in 19 years. That is your context. Treat patching speed as a business risk, not a chore.

For example, use this checklist on your Exchange estate this week.

1. Apply the EEMS or EOMT fix on every on-prem Exchange server today.
2. Confirm Period 2 ESU enrollment if you run 2016 or 2019. Without it, you will not get the final patch.
3. Restrict OWA exposure behind a VPN or zero-trust gateway. In short, public OWA is the largest attack surface most teams carry.
4. Force re-sign-in on all OWA sessions after you apply the fix. As a result, this kills tokens an attacker may already hold.
5. Turn on mailbox audit logging for every mailbox. So you can rebuild activity if you find signs of compromise.
6. Plan the move to Exchange Online or Subscription Edition if you still run 2016. The 2016 line will not get more patches outside Period 2 ESU.
7. Schedule a tabletop drill within 30 days. Walk through a "what if our OWA was hit three weeks ago" scenario.

For more on the wider patching pressure, read our deep dive on the Microsoft Patch Tuesday process. Also, our zero trust security guide covers how to cut flat network trust. That trust is what lets one OWA hit spread.

Summary

CVE-2026-42897 is a live XSS-based spoofing flaw in Exchange OWA. It hits Server 2016, 2019, and Subscription Edition. Microsoft shipped an auto EEMS fix and a hand-run EOMT path on May 14. Also, CISA gave federal teams until May 29, 2026 to apply it. So fix today. Hunt for prior hits. Then harden OWA exposure before the next bug lands.

Frequently Asked Questions

Is the Exchange zero-day fixed yet?

Microsoft has shipped a fix, not a full patch. So EEMS-enabled servers picked up auto cover on May 14, 2026. After that, a final patch will follow for Exchange Server 2016 CU23, 2019 CU14 and CU15, and Subscription Edition RTM. However, only Period 2 ESU clients will get the fix for 2016 and 2019.

Does CVE-2026-42897 affect Microsoft 365 or Exchange Online mailboxes?

No. The Exchange zero-day only hits on-prem Exchange Server 2016, 2019, and Subscription Edition. As a result, Exchange Online clients stay safe. Microsoft applies fixes to its cloud first.

What is the deadline for federal teams to apply the fix?

CISA added CVE-2026-42897 to the KEV catalog on May 15, 2026. So federal civilian agencies must apply the required fix by May 29, 2026, under BOD 22-01.

Can the attacker run code on the Exchange server itself?

The bug counts as spoofing. The bad script runs in the user's browser, not on the server. However, the browser session is signed in to OWA. So the attacker can still read mail. They can send mail as the user. They can also pivot to other web apps via stolen tokens.

What should I do if I cannot enable EEMS?

Grab the Exchange On-premises Mitigation Tool (EOMT) from aka.ms/UnifiedEOMT. Then apply the CVE-2026-42897 fix by hand. For instance, the tool works on air-gapped servers. It supports per-server or org-wide use through Exchange Management Shell.

Should I block public OWA access right now?

If your business model allows it, yes. As a result, putting OWA behind a VPN or zero-trust gateway cuts the largest attack surface. Most teams that already use Outlook desktop or mobile can turn off public OWA with low user impact.

About the Author

Bhanu Prakash is a cybersecurity and cloud computing professional with hands-on experience in incident response, vulnerability management, and Microsoft Exchange hardening. He shares practical guides and career advice at ElevateWithB.

Related Articles

• Microsoft Patch Tuesday: What It Is and How to Apply Updates Safely
• Trivy Supply Chain Security: Complete Implementation Guide
• Zero Trust Security: Principles, Architecture, and Implementation