Microsoft Finally Patches Exchange OWA Zero-Day After 26-Day Wait

Microsoft has released permanent patches for CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server's Outlook Web Access that attackers have exploited since mid-May. The fix arrives 26 days after CISA added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate by May 29.

The catch: organizations running Exchange Server 2016 or 2019 can only get the update through Microsoft's Extended Security Update program, leaving many enterprises with a choice between paying for ESU or remaining exposed.

How the Attack Works

An attacker sends a specially crafted email to a target. When the recipient opens that message in Outlook Web Access and interacts with it in certain ways, malicious JavaScript executes in their browser session. Microsoft classifies this as a spoofing vulnerability, but the practical impact is arbitrary code execution within the user's authenticated OWA context.

The attack requires no prior access to the Exchange environment. All an attacker needs is a valid email address for someone who uses OWA—making this a prime vector for phishing campaigns targeting enterprise users.

What's Affected

The vulnerability hits three Exchange Server versions:

• Exchange Server 2016 (CU23 and earlier)
• Exchange Server 2019 (CU14 and CU15)
• Exchange Server Subscription Edition RTM

Exchange Online is not vulnerable. Cloud customers can ignore this one.

The ESU Problem

Here's where it gets complicated. Microsoft released the June 9 Security Updates for all three affected versions, but the patches for Exchange 2016 and 2019 are only available to customers enrolled in Period 2 Extended Security Updates.

Organizations that haven't purchased ESU coverage are stuck with the emergency mitigations Microsoft deployed back on May 14. Those mitigations work—they block the attack—but they also break functionality. Calendar printing stops working, and some images may not display correctly in OWA.

The workaround for air-gapped environments involves running PowerShell scripts through the Exchange On-premises Mitigation Tool (EOMT). Not exactly a clean solution for the long term.

Why This Took So Long

Microsoft's initial response was fast: they detected exploitation in the wild, disclosed the vulnerability, and pushed emergency mitigations through the Exchange Emergency Mitigation Service on the same day. But the permanent fix took nearly a month to ship.

That delay matters. Security teams at federal agencies and large enterprises spent weeks managing workarounds while waiting for a proper patch. The broken calendar printing alone generated support tickets across thousands of organizations.

This incident echoes the pattern we saw with last month's Microsoft Patch Tuesday release, where critical vulnerabilities required rapid response but permanent fixes lagged behind initial mitigations.

What to Do Now

If you run Exchange Server Subscription Edition, apply the June Security Update immediately. No ESU required.

For Exchange 2016 and 2019:

1. Check your ESU enrollment status
2. If enrolled, apply the update now
3. If not enrolled, verify that EEMS has applied the mitigation automatically
4. For air-gapped systems, run the EOMT PowerShell scripts manually

Microsoft's Exchange team has published detailed guidance on their Tech Community blog.

The Bigger Picture

On-premises Exchange continues to be a target-rich environment. We covered a similar zero-day scenario with Veeam last week, where attackers exploited backup infrastructure before patches were available. The pattern repeats: attackers find flaws in widely-deployed enterprise software, exploit them immediately, and defenders scramble to respond.

The ESU gating on this patch adds another dimension. Microsoft clearly wants organizations to migrate to Exchange Online or at least pay for extended support. But forcing security updates behind a paywall creates real risk for budget-constrained organizations that can't move quickly.

If you're still running Exchange 2016, this might be the push you need to evaluate your migration timeline. The ESU clock is ticking, and each new vulnerability makes that calculation more urgent.