Exchange OWA Zero-Day CVE-2026-42897 Exploited — No Patch

Microsoft Exchange Server administrators face an uncomfortable reality: a zero-day vulnerability is being actively exploited in the wild, and no permanent patch exists. CVE-2026-42897 is a cross-site scripting flaw in Outlook Web Access (OWA) that allows attackers to hijack authenticated sessions by simply sending a malicious email.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 15, giving federal agencies until May 29 to apply mitigations. That deadline has passed. The attacks continue.

How the Attack Works

The exploitation chain is disturbingly simple. An attacker crafts a specially formatted email containing malicious JavaScript. When a recipient opens that email in OWA—not Outlook desktop, specifically the web interface—the JavaScript executes within their authenticated browser session.

From there, the attacker can:

• Steal session tokens — Gaining persistent access to the victim's mailbox
• Impersonate the user — Sending emails, accessing contacts, reading confidential messages
• Manipulate mail rules — Setting up forwarding rules to exfiltrate future emails silently
• Pivot laterally — Using the compromised mailbox to send convincing phishing emails to internal colleagues

The attack requires no clicking of links, no opening of attachments, no user interaction beyond viewing the email in OWA. The victim sees what looks like a normal message while the malicious payload executes in the background.

Affected Versions

Exchange Online (Microsoft 365) is not affected. The vulnerability specifically targets on-premises deployments:

• Exchange Server 2016 (all Cumulative Updates)
• Exchange Server 2019 (all Cumulative Updates)
• Exchange Server Subscription Edition (all update levels)

Organizations that migrated to Exchange Online aren't exposed, but hybrid deployments maintaining on-premises servers remain at risk for mailboxes still hosted locally.

The Patch Gap

Microsoft acknowledged the zero-day on May 15 and released automatic mitigations through the Exchange Emergency Mitigation Service (EM Service). These mitigations are enabled automatically on servers with the EM Service active.

But automatic mitigations aren't patches. They're workarounds that may affect functionality, and attackers are already probing for gaps. Security researchers have identified scenarios where the mitigations don't fully prevent exploitation, particularly in configurations with custom OWA themes or certain third-party add-ins.

Microsoft has not announced a timeline for a permanent fix.

Why This Matters

Exchange remains a high-value target. Despite Microsoft's aggressive push toward cloud migration, thousands of organizations still run on-premises Exchange—particularly in regulated industries, government agencies, and regions with data residency requirements.

The combination of active exploitation, no permanent patch, and the ability to compromise mailboxes without user interaction creates a perfect storm. Every day that passes without a fix is another day attackers have to harvest credentials and establish persistence.

This isn't the first time Exchange has faced extended zero-day exposure. The ProxyLogon vulnerabilities in 2021 followed a similar pattern—active exploitation discovered before patches were ready, leading to mass compromise of Exchange servers worldwide.

For organizations concerned about broader social engineering risks, compromised executive mailboxes are a goldmine for business email compromise (BEC) attacks. An attacker with access to a CFO's email can craft highly convincing wire transfer requests that bypass traditional phishing detection.

Recommended Mitigations

Until Microsoft releases a permanent patch:

1. Verify EM Service is active — Check that Exchange Emergency Mitigation Service is running and mitigations are applied
2. Audit custom OWA configurations — Custom themes and add-ins may create mitigation gaps; consider disabling non-essential customizations
3. Review mail flow rules — Check for recently created forwarding rules that could indicate compromise
4. Consider temporary OWA restrictions — For highly sensitive users, switching to Outlook desktop reduces exposure
5. Monitor for suspicious session activity — Watch for OWA logins from unusual locations or at unusual times
6. Accelerate cloud migration planning — If you were already considering Exchange Online, this vulnerability strengthens the business case

Organizations running legacy Exchange deployments should also review the Nightmare-Eclipse vulnerabilities affecting Windows Defender, as compromised Exchange servers running on affected Windows hosts face compounded risk.

The CVSS score of 8.1 (High) reflects the network-based attack vector and the potential for significant impact. Don't let the absence of a "critical" rating create false comfort—active exploitation makes severity ratings academic.