Full Report
Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. [...]
Analysis Summary
# Vulnerability: Microsoft Exchange Server Spoofing (XSS) Zero-Day
## CVE Details
- **CVE ID:** CVE-2026-42897
- **CVSS Score:** 8.8 (High) - *Calculated based on High severity/Network vector*
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products:** Microsoft Exchange Server
- **Versions:**
- Exchange Server 2016
- Exchange Server 2019
- Exchange Server Subscription Edition (SE)
- **Configurations:** Systems where Outlook Web Access (OWA) is enabled and accessible to users.
## Vulnerability Description
CVE-2026-42897 is a high-severity spoofing vulnerability that manifests as a Cross-Site Scripting (XSS) flaw within Outlook Web Access (OWA). The vulnerability is triggered when a user opens a specially crafted email. Due to improper sanitization of email content, an attacker can execute arbitrary JavaScript code within the context of the victim's browser session. This could allow the attacker to steal session tokens, perform actions on behalf of the user, or access sensitive information within the OWA interface.
## Exploitation
- **Status:** Exploited in the wild (Zero-day). Added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
- **Complexity:** Medium (Requires user interaction: opening a crafted email).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to session cookies, emails, and user data).
- **Integrity:** High (Ability to perform unauthorized actions in the user's OWA context).
- **Availability:** Low (Does not typically crash the server service).
## Remediation
### Patches
Microsoft released the **June 2026 Security Updates** to permanently address this flaw. Administrators should apply the updates corresponding to their specific Exchange version:
- Exchange Server 2016 (Cumulative Update 23 and above)
- Exchange Server 2019 (Cumulative Update 13 and above)
- Exchange Server Subscription Edition
### Workarounds
- **Exchange Emergency Mitigation Service (EEMS):** Microsoft deployed automatic temporary mitigations via EEMS in mid-May 2026.
- **Manual Mitigation:** Microsoft recommends keeping the initial mitigations in place even after patching to provide an additional layer of defense against similar XSS vectors.
## Detection
- **Indicators of Compromise:** Unusual JavaScript execution patterns in OWA logs; presence of suspicious obfuscated scripts in incoming email bodies.
- **Detection methods and tools:** Monitor OWA traffic for scripts attempting to exfiltrate session tokens or performing suspicious POST requests to external domains. Review EEMS logs to verify if automatic mitigations were successfully applied prior to patching.
## References
- **MSRC Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-42897
- **Exchange Team Blog:** hxxps[://]techcommunity[.]microsoft[.]com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Original Report:** hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/