CVE-2026-42897: the vulnerability of Exchange that allows XSS in OWA and session theft

Microsoft has confirmed critical vulnerability in Exchange Server identified as CVE-2026-42897 that allows the execution of code in the browser context through a cross-site scribing (XSS) attack to Outlook users on the web (OWA). The operation is produced by a specially manipulated mail that, if the recipient opens it in OWA and certain conditions of interaction are met, can run arbitrary JavaScript and therefore allow from the theft of cookies and session tokens to more complex attack chains that pivote within the network.

The failure affects updated versions of Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition (SE). Microsoft has stressed that, although no final patches are yet available, its Exchange Emergency Mitigation Service (EEMS) will deploy automatic mitigation to protect on-premises servers with Mailbox role. EEMS works as a Windows service and was designed precisely to apply interim solutions to actively exploited vulnerabilities; if it is disabled, Microsoft recommends to activate it immediately. More official details are on the Exchange team's blog: Exchange Team - Microsoft Tech Community.

For isolated environments (air-gapped) or administrators who prefer manual control, Microsoft offers the Exchange on-premises Mitigation Tool (EOMT). The mitigation is applied by running the script from a high Exchange Management Shell with commands like .\ EOMT.ps1 -CVE "CVE-2026-42897" on a single server or Get-ExchangeServer-124; Where-Object {$_ .ServerRole-ne "Edge" }-124;\ EOMT.ps1-CVE "CVE-2026-42897" for all servers with relevant roles. If you need to understand how EEMS operates and its requirements before it is activated, Microsoft's documentation about the service is a useful reference: Documentation from Exchange Emergency Mitigation Service.

It is important that security teams internalize two operational realities: first, Microsoft has announced that it will launch patches for Exchange SE RTM and for certain cumulative updates (CU) of 2016 and 2019, but updates for Exchange 2016 and 2019 will be available only for customers registered in the ESU Period 2 program; second, If your server runs a version prior to March 2023, EEMS will not be able to download new mitigation, which requires a manual mitigation or updating plan.

The practical implications go beyond the simple patching. An effective XSS explosion against OWA can result in persistent access to accounts, lateral movement and data exfiltration if the attacker gets valid tokens or installs persistence mechanisms. It is therefore critical to reduce the exposure surface: consider blocking external access to OWA from the public network where possible, force the use of VPN for administrative access and enable multi-factor authentication (MFA) on the front that validates identities before presenting the web interface.

At the operational level, act with priority: active EEMS If available, apply EOMT in isolated environments, and plan the installation of official patches as soon as they are published. In parallel, monitor IIS logs, OWA records and inverse proxys detections in search of abnormal patterns that indicate mass mail shipments with HTML / JS payloads, sessions initiated from suspicious locations or changes to session cookies. If your organization maintains Exchange 2016 / 2019 after its support purpose, reassess the risk and need to migrate to supported versions or secure an ESU subscription.

Finally, coordinate with your incident response team for retrospective search (hunt) for commitment indicators related to OWA accesses and possible recent exfiltrations. Maintain a proactive posture and apply automatic or manual mitigation now reduces the exposure window until the final patches arrive and prevents a simple user click from resulting in a larger gap.