A critical cross-site scripting (XSS) vulnerability, identified as CVE-2026-42897, in Microsoft Exchange Server is currently being exploited by attackers in the wild. Microsoft issued a warning on Thursday, confirming that exploitation is ongoing, but a permanent security update is not yet available. In the interim, the company has provided temporary mitigations to help organizations protect their systems.
Microsoft Exchange Server has long been a prime target for threat actors due to its widespread use in enterprise environments. Past vulnerabilities, such as ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), have led to widespread breaches and ransomware attacks. The current vulnerability continues this trend, demonstrating the persistent risk to on-premises Exchange deployments.
About CVE-2026-42897
CVE-2026-42897 is a cross-site scripting vulnerability that affects on-premises versions of Microsoft Exchange Server. Specifically, it impacts Exchange Server Subscription Edition RTM, Exchange 2019, and Exchange 2016. Exchange Online, Microsoft's cloud-based email service, is not affected by this flaw.
XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. In this case, the vulnerability exists in Outlook Web Access (OWA), the browser-based email client for Exchange. An attacker could exploit the flaw by sending a specially crafted email to a user. If the user opens the email in OWA and certain interaction conditions are met, arbitrary JavaScript code could be executed in the user's browser context.
The specific interaction conditions required for successful exploitation have not been disclosed by Microsoft. This lack of detail makes it challenging for administrators to assess their precise risk. However, the company confirmed the vulnerability was flagged by an anonymous researcher, and it allows an unauthorized attacker to perform spoofing over a network.
Cross-site scripting is a well-understood attack vector, but in the context of email clients like OWA, it can have severe consequences. An attacker could steal session cookies, access sensitive emails, perform actions on behalf of the victim, or even move laterally within the organization's network. Because OWA is often accessible from the internet, this vulnerability is particularly concerning for organizations that have not properly secured their Exchange servers.
Mitigation Available
Microsoft's Exchange Server Team has acknowledged the issue and stated that a security update is in the works. The update will be released for Exchange Server SE RTM, Exchange 2016 CU23, Exchange Server 2019 CU14 and CU15. Organizations running older cumulative updates are urged to update to these supported versions as soon as possible. However, it is important to note that updates for Exchange 2016 and 2019 will only be released to customers enrolled in the Period 2 Exchange Server Extended Security Updates (ESU) program. This program is designed for organizations that need additional time to migrate to newer versions or to the cloud.
In the meantime, two mitigation options are available. The first is through the Exchange Emergency Mitigation Service (EEMS). This service is enabled by default for supported Exchange Server installations and automatically applies mitigations when they are released. Organizations should verify that EEMS is running and that it has received the latest mitigation configuration.
The second option is the Exchange on-premises Mitigation Tool (EOMT). Administrators can manually run a provided script that applies the same mitigation. This is useful for organizations that have disabled EEMS or need to deploy the mitigation across many servers quickly. Microsoft has not specified the exact technical mechanism of the mitigation, but it likely involves blocking specific email content or modifying OWA behavior to prevent script execution.
It is crucial for administrators to apply these mitigations immediately. Given that active exploitation is confirmed, delay could result in a breach. Security researchers and incident response teams have observed that Exchange vulnerabilities are often exploited within hours or days of a disclosure, especially when no patch is available.
Historical Context and Lessons Learned
Microsoft Exchange Server has a troubled history regarding security vulnerabilities. The aforementioned ProxyLogon and ProxyShell vulnerabilities, disclosed in 2021, were exploited by numerous threat actors, including ransomware groups and state-sponsored attackers. These flaws allowed unauthenticated remote code execution and were used in attacks against tens of thousands of organizations worldwide.
Following those incidents, Microsoft introduced the Exchange Emergency Mitigation Service and the ESU program to give organizations more tools to protect themselves. However, the current situation shows that even with these improvements, vulnerabilities continue to emerge, and attackers are quick to exploit them.
The lack of a permanent fix for CVE-2026-42897 is reminiscent of the earlier days of ProxyLogon, when Microsoft released workarounds and mitigations before the actual patches. In those cases, the mitigations were effective when applied correctly, but many organizations failed to do so, leading to compromises. Administrators must learn from history and ensure that the mitigations are deployed and remain effective until the official updates arrive.
Impact on Organizations
Organizations running on-premises Exchange Server are at highest risk. This includes businesses that have not yet migrated to Exchange Online or Microsoft 365, as well as those in regulated industries where data sovereignty requires on-premises email. The vulnerability could lead to data theft, account takeover, and further network compromise.
The spoofing capability mentioned by Microsoft suggests that an attacker could impersonate a legitimate user, potentially conducting phishing attacks from a trusted email account. This would undermine existing security controls such as DMARC, DKIM, and SPF, as the email would originate from the real server.
Additionally, because OWA is often exposed to the internet to allow remote access, the attack surface is significant. Even if an organization uses VPNs or other access controls, users accessing OWA from personal or mobile devices may be at risk.
Recommendations for Administrators
First and foremost, enable and verify the Exchange Emergency Mitigation Service. Ensure that the latest mitigation has been applied automatically. If EEMS is not active, use the EOMT script immediately.
Second, consider additional security layers such as multi-factor authentication (MFA) for OWA access, blocking legacy authentication protocols, and implementing conditional access policies. While these do not patch the vulnerability, they can limit the potential impact of an exploited session.
Third, closely monitor Exchange Server logs for signs of exploitation. Indicators may include unusual OWA logins, attempts to load external scripts, or unexpected email sending patterns. Microsoft has not provided specific detection guidance, but generic XSS detection rules in web application firewalls may help.
Finally, plan for migration to Exchange Online or upgrade to a supported version that will receive the patch. The ESU program provides some runway, but ultimately, cloud-based email reduces the burden of patching and security maintenance.
This vulnerability underscores the importance of staying current with security updates and having an incident response plan ready. As always, organizations should subscribe to Microsoft security alerts and act on them promptly.
Source: Help Net Security News