BleepingComputer via Reddit

Microsoft Exchange Zero-Day XSS Exploited, No Patch Yet

microsoft cybersecurity cybersecurity zero-day

Key insights

  • CVE-2026-42897 allows arbitrary JavaScript execution in OWA via crafted email, with no official code patch currently available.
  • All three major on-premises Exchange versions (2016, 2019, Subscription Edition) are confirmed vulnerable and actively targeted.
  • Microsoft's EEMS auto-mitigation only protects servers where the service is already enabled and has outbound connectivity.

Why this matters

On-premises Exchange remains deeply embedded in regulated industries and government networks, so an actively exploited XSS zero-day with no patch creates a measurable window for session hijacking, credential theft, and lateral movement at scale. The EEMS auto-mitigation dependency is a hidden risk multiplier: organizations that disabled or firewalled EEMS for compliance or network segmentation reasons have no automated protection and may not know it. For security leaders evaluating cloud migration timelines, this incident adds concrete, time-pressured evidence that on-prem Exchange carries asymmetric operational risk relative to hosted alternatives.

Summary

Microsoft is actively warning administrators about CVE-2026-42897, a high-severity cross-site scripting flaw in Exchange Server that attackers are already weaponizing in the wild with no code-level patch available. The attack vector is deceptively simple: a specially crafted email, when opened in Outlook Web Access, executes arbitrary JavaScript inside the victim's browser session. Exchange Server 2016, 2019, and the Subscription Edition are all confirmed affected, meaning the exposure spans a large portion of on-premises Exchange deployments still common in enterprise and government environments. Essentially: (Microsoft, on-prem Exchange operators) are in a gap window where exploitation is live and the only defenses are workarounds, not a fix. - Microsoft's Exchange Emergency Mitigation Service auto-applies workarounds on eligible on-prem servers, but only if EEMS is enabled and reachable. - The Exchange on-premises Mitigation Tool is available for manual remediation where EEMS cannot run automatically. - Organizations should treat any anomalous OWA session activity since disclosure as a potential indicator of compromise. The broader exposure here is structural: a significant share of enterprise email infrastructure still runs on-prem Exchange, and a zero-day with active exploitation and no patch puts every unmitigated server in a race against attacker tooling.

Potential risks and opportunities

Risks

  • Enterprises with EEMS disabled or network-segmented Exchange servers face unmitigated exposure during the patch gap, with session hijacking enabling direct access to executive and finance mailboxes.
  • Government and defense contractors running on-prem Exchange under strict outbound-traffic policies may be unable to apply EEMS workarounds automatically, extending their vulnerable window indefinitely until manual EOMT remediation is completed.
  • If attackers pivot from OWA session theft to internal phishing via compromised mailboxes, the blast radius expands well beyond Exchange administrators into any organization whose staff trusts internal email as a high-confidence channel.

Opportunities

  • Email security vendors with OWA-layer inspection or anomalous session detection (Proofpoint, Abnormal Security, Darktrace) can accelerate pipeline conversations with on-prem Exchange shops seeking compensating controls during the patch gap.
  • Microsoft 365 and Exchange Online migration partners see a near-term forcing function for stalled on-prem-to-cloud email projects, particularly in mid-market accounts where migration decisions have been deferred on cost grounds.
  • Managed security service providers offering rapid EOMT deployment and EEMS audit services can convert this incident into a short-cycle professional services engagement targeting the large installed base of unmanaged on-prem Exchange servers.

What we don't know yet

  • Which threat actors or groups are confirmed behind active exploitation as of May 15, 2026, and whether any campaigns are targeted versus opportunistic.
  • Whether Microsoft has a patch timeline or Patch Tuesday commitment, given the disclosure occurred outside a regular release cycle.
  • How many on-premises Exchange deployments currently have EEMS disabled or unreachable, leaving auto-mitigation ineffective.

Originally reported by BleepingComputer

Read the original article →

Original headline: Microsoft Warns of Exchange Zero-Day CVE-2026-42897 Actively Exploited in the Wild — No Patch Available, XSS Via Crafted Email in Outlook Web Access