Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Microsoft has confirmed active exploitation of CVE-2026-42897, a critical cross-site scripting vulnerability affecting on-premises Microsoft Exchange Server deployments. First observed on May 14, 2026, the CVE-2026-42897 spoofing vulnerability impacts Microsoft Exchange Server 2016, Microsoft Exchange Server 2019, and Microsoft Exchange Server Subscription Edition (SE), while Microsoft Exchange Online remains unaffected by the CVE-2026-42897 security flaw.
The CVE-2026-42897 vulnerability stems from a cross-site scripting (XSS) issue within the Outlook Web Access (OWA) component of Microsoft Exchange Server, allowing threat actors to embed malicious JavaScript code into specially crafted emails that can execute within a victim’s authenticated browser session when accessed through OWA. The CVE-2026-42897 exploitation enables attackers to hijack user sessions, manipulate mailbox data, and conduct further malicious activity while impersonating legitimate users with access to Exchange Server email infrastructure.
Microsoft has designated CVE-2026-42897 with “Exploitation Detected” status, confirming that the vulnerability is already being actively exploited in the wild by unknown threat actors targeting on-premises Exchange Server deployments. Although no permanent security patch is currently available for CVE-2026-42897, Microsoft has rolled out temporary mitigations through the Exchange Emergency Mitigation Service (EEMS) and the Exchange On-premises Mitigation Tool (EOMT) to help organizations reduce exposure while attacks continue targeting vulnerable Microsoft Exchange servers worldwide.
CVE-2026-42897 is a spoofing vulnerability caused by a cross-site scripting (XSS) flaw in the web-facing components of on-premises Microsoft Exchange Server. The CVE-2026-42897 vulnerability stems from improper sanitization of user-controlled input embedded within email content before it is rendered in the Outlook Web Access (OWA) interface, allowing attackers to inject malicious code into the Exchange Server web application.
At its core, the CVE-2026-42897 vulnerability is linked to inadequate input validation in Microsoft Exchange Server, allowing threat actors to embed malicious JavaScript payloads within specially crafted emails. When a victim accesses the malicious email through Outlook Web Access and performs certain undisclosed interactions with the email content, the injected script executes within the security context of the victim’s authenticated browser session. This CVE-2026-42897 exploitation could enable attackers to hijack authenticated sessions, manipulate mailbox data, exfiltrate sensitive email content, or conduct further malicious activity while impersonating the legitimate user on the Exchange Server platform.
Microsoft confirmed that all update levels of Microsoft Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) are affected by CVE-2026-42897, while Microsoft Exchange Online cloud-based email service is not impacted by the vulnerability. Microsoft has also designated the CVE-2026-42897 flaw with “Exploitation Detected” status, indicating that the vulnerability is already being actively exploited in the wild by threat actors targeting on-premises Exchange Server infrastructure.
At present, no permanent security patch has been released to remediate CVE-2026-42897 in affected Microsoft Exchange Server versions. As an interim measure, Microsoft is using the Exchange Emergency Mitigation Service (EEMS) to automatically deploy a URL rewrite rule designed to block CVE-2026-42897 exploitation attempts on Exchange servers with EEMS enabled and internet connectivity.
For air-gapped environments or systems where the Exchange Emergency Mitigation Service cannot be used due to network isolation, Microsoft Exchange administrators can manually apply CVE-2026-42897 protections through the Exchange On-premises Mitigation Tool (EOMT). The EOMT tool can be executed via an elevated Exchange Management Shell to deploy the same URL rewrite mitigation across Exchange servers without requiring internet connectivity to Microsoft’s mitigation services.
Microsoft has not yet disclosed specific details about the threat actors behind the CVE-2026-42897 attacks, the scope of targeting in active exploitation campaigns, or the effectiveness of ongoing exploitation attempts against vulnerable Exchange Server deployments. Organizations running on-premises Microsoft Exchange Server should prioritize deployment of available mitigations and monitor for the release of a permanent security update addressing CVE-2026-42897.
Verify that the Exchange Emergency Mitigation Service is active on all on-premises Exchange Servers to receive automatic CVE-2026-42897 mitigations. EEMS is enabled by default and will automatically apply a URL rewrite configuration to mitigate CVE-2026-42897 exploitation attempts. If the Windows service has been disabled, re-enable it without delay as this is the fastest path to reducing CVE-2026-42897 exposure while a permanent patch is pending.
For Exchange Servers operating in air-gapped or isolated networks where EEMS cannot function, download the latest Exchange On-premises Mitigation Tool (EOMT) from Microsoft and execute it via an elevated Exchange Management Shell. Run the command .\EOMT.ps1 -CVE “CVE-2026-42897” on each server individually, or use the pipeline command to apply CVE-2026-42897 mitigations across all non-Edge servers simultaneously.
After enabling EEMS or running EOMT, verify that the CVE-2026-42897 mitigation status displays as “Applied” on each Exchange server. Microsoft has acknowledged a known cosmetic issue where the Description field may display “Mitigation invalid for this exchange version” even when the CVE-2026-42897 mitigation has been successfully applied. Confirm application by checking the status field rather than the description field.
As a supplemental hardening measure, limit external access to Outlook Web Access through firewall rules, VPN requirements, or conditional access policies until a permanent patch is available for CVE-2026-42897. Reducing the attack surface by limiting who can reach OWA from the internet significantly decreases the likelihood of CVE-2026-42897 exploitation.
Monitor Microsoft’s Security Response Center (MSRC) and Exchange Team Blog for the release of a cumulative update or security update that permanently addresses CVE-2026-42897. Plan for an expedited patch deployment cycle given the confirmed active exploitation status and CISA KEV catalog listing for CVE-2026-42897.
Maintain a continuous vulnerability management program that includes regular scanning of Exchange Server infrastructure, tracking of security advisories from Microsoft and CISA, and prompt evaluation of emergency mitigations. Ensure an accurate inventory of all Exchange Server versions and update levels across the environment, and assess the security posture of email infrastructure as a critical business service.
Initial Access: T1566.001 (Spearphishing Attachment), T1190 (Exploit Public-Facing Application)
Execution: T1059.007 (JavaScript)
Defense Evasion: T1036 (Masquerading)
Resource Development: T1588.006 (Vulnerabilities)
Microsoft Security Response Center – CVE-2026-42897 Vulnerability Guide
Get through updates and upcoming events, and more directly in your inbox