A severe zero-day vulnerability in Microsoft Exchange Server is currently being exploited in the wild by threat actors. The flaw targets browser-based email access and allows hackers to hijack corporate mailboxes without needing valid login credentials.
The US Cybersecurity and Infrastructure Security Agency (CISA) has officially added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to enforce defensive mitigations immediately.
Key Points
- The ID: Tracked as CVE-2026-42897 (CVSS Severity Score: 81)
- The Flaw: A critical, reflected Cross-Site Scripting (XSS) and spoofing vulnerability located in the Outlook Web Access (OWA) component
- The Target: On-premises deployments only This includes Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) across any cumulative update level Cloud-based Exchange Online is completely unaffected
- The Attack Vector: Deceptively simple an attacker sends a specially crafted email to a corporate user, If the target opens that email using a web browser via Outlook Web Access (OWA), malicious, attacker-controlled JavaScript executes instantly in the background
The Impact: How Bad Is It?
Unlike previous vulnerabilities like ProxyLogon, this zero-day does not give attackers full control of the server’s operating system. Instead, it allows them to fully compromise individual mailboxes.
An attacker who successfully triggers the XSS payload can:
- Read, exfiltrate, and delete all corporate emails within that mailbox.
- Send unauthorized outbound emails posing directly as the victim (perfect for highly targeted Business Email Compromise or BEC scams).
- Steal session tokens to bypass Multi-Factor Authentication (MFA).
- Silently establish hidden email forwarding rules that persist even if the user changes their network password.
What’s Now: Immediate Remediation
Because this zero-day was discovered right after the monthly Patch Tuesday cycle, there is currently no official permanent patch available System administrators must manually verify or deploy temporary URL-rewrite mitigations immediately
1. Automatic Mitigation (EEMS)
For networks utilizing Microsoft’s automated defenses, the Exchange Emergency Mitigation Service (EEMS) has already pushed out an automated hotfix labeled Mitigation ID: M21x
- Action: Check your organization’s setup via the Exchange Health Checker script (`akams/ExchangeHealthChecker`) Ensure the automated service is running and active
2. Manual Mitigation (Air-Gapped / Disabled EEMS Environments)
If your Exchange servers are firewalled off from the open internet or EEMS is disabled, you must apply the rule manually using the Exchange on-premises Mitigation Tool (EOMT):
Download the latest tool package from `akams/UnifiedEOMT`
Open an elevated Exchange Management Shell (EMS) and execute:
- For a single server setup:
\EOMTps1 -CVE "CVE-2026-42897"
- To push across all enterprise servers at once:
Get-ExchangeServer | Where-Object { $_ServerRole -ne "Edge" } | \\EOMTps1 -CVE "CVE-2026-42897"3. Know the “Side Effects”
Applying this temporary URL-rewrite mitigation alters how OWA renders specific components Warn your user base and help desk of the following temporary cosmetic regressions until Microsoft pushes a permanent software patch:
- Inline email images may appear broken in the OWA reading pane (users will need to download images as attachments or switch to the Outlook Desktop App)
- The OWA “Print Calendar” feature will fail to function properly
- An intermittent cosmetic bug may flag the mitigation status as “Mitigation invalid for this exchange version” in the description pane If the primary status column explicitly displays “Applied,” the patch is working safely
