Executive Summary
A critical zero-day vulnerability in Microsoft Exchange Server—currently tracked as CVE-2026-42897—is being actively exploited in the wild. This vulnerability affects on-premises deployments of Microsoft Exchange Server 2016, Microsoft Exchange Server 2019, and Microsoft Exchange Server Subscription Edition (SE). The flaw is rooted in a cross-site scripting (XSS) issue within Outlook Web Access (OWA), enabling remote attackers to execute arbitrary JavaScript in the context of a victim’s browser session. There is no official patch available at this time. Microsoft has released emergency mitigations, but organizations must act immediately to protect their environments. The exploitation of this vulnerability can lead to session hijacking, credential theft, and lateral movement within enterprise networks. This advisory provides a comprehensive technical analysis, threat actor insights, exploitation evidence, and actionable mitigation guidance.
Threat Actor Profile
Attribution for the exploitation of CVE-2026-42897 remains unconfirmed as of this report. Multiple security vendors and Microsoft have observed exploitation in the wild, but no specific advanced persistent threat (APT) group or cybercriminal syndicate has been publicly linked to these attacks. The tactics, techniques, and procedures (TTPs) observed are consistent with both targeted espionage operations and opportunistic cybercrime. The exploitation method—leveraging a zero-day XSS in a widely deployed enterprise product—suggests a threat actor with moderate to advanced technical capability and a focus on high-value targets. The lack of public proof-of-concept (PoC) code and the sophistication of the attack chain indicate that the threat actors are likely maintaining operational security to maximize the window of exploitation before a patch is released.
Technical Analysis of Malware/TTPs
CVE-2026-42897 is a cross-site scripting (XSS) vulnerability in the OWA component of on-premises Microsoft Exchange Server. The vulnerability is triggered when a specially crafted email is rendered in the OWA client. The malicious email contains embedded JavaScript payloads that are insufficiently sanitized by the OWA rendering engine. When a user opens the email in OWA, the attacker-controlled JavaScript executes in the context of the user’s browser session.
This allows the attacker to perform actions such as session hijacking, credential harvesting, and impersonation of the victim within the OWA interface. The attacker can also pivot to internal resources if the compromised user has elevated privileges. The attack does not require user interaction beyond opening the malicious email in OWA, making it highly effective against organizations with exposed OWA endpoints.
The exploitation chain leverages the following TTPs:
- Delivery of a specially crafted email to the target’s mailbox.
- Exploitation of the XSS flaw upon email rendering in OWA.
- Execution of arbitrary JavaScript in the victim’s browser context.
- Potential exfiltration of session cookies, authentication tokens, or sensitive data.
- Use of stolen credentials or session tokens for lateral movement or further compromise.
No malware samples or secondary payloads have been publicly disclosed, but the attack surface allows for the deployment of additional malicious scripts or the redirection of victims to attacker-controlled infrastructure.
Exploitation in the Wild
Active exploitation of CVE-2026-42897 has been confirmed by Microsoft and multiple independent security researchers. The attacks are primarily targeting organizations with externally accessible OWA portals. The exploitation is stealthy, as it leverages legitimate email delivery mechanisms and does not require exploitation of the underlying operating system or Exchange binaries.
Detection of exploitation is challenging due to the lack of public indicators of compromise (IOCs) and the nature of XSS attacks, which often leave minimal forensic artifacts. Security vendors have reported increased scanning and probing of OWA endpoints, as well as targeted phishing campaigns delivering malicious emails designed to trigger the vulnerability.
There is no evidence of widespread commodity exploitation or automated mass scanning at this time, but the risk of rapid escalation remains high as details of the vulnerability become more widely known. Organizations with unmitigated, internet-facing Exchange servers are at the highest risk.
Victimology and Targeting
The primary victims of CVE-2026-42897 exploitation are organizations running on-premises Microsoft Exchange Server 2016, 2019, or Subscription Edition with OWA enabled and accessible from the internet. Sectors observed to be at elevated risk include government agencies, financial institutions, healthcare providers, legal firms, and large enterprises with distributed workforces.
Attackers are likely prioritizing targets based on the value of email communications, the presence of sensitive data, and the potential for lateral movement within the network. Organizations with outdated Exchange deployments or those not enrolled in the Exchange Server Extended Security Updates (ESU) program are particularly vulnerable, as they may not be able to leverage all available mitigations.
There is no evidence that Exchange Online or cloud-hosted Microsoft 365 environments are affected by this vulnerability.
Mitigation and Countermeasures
With no official patch available, immediate mitigation is critical. Microsoft recommends the following actions:
Organizations should enable the Exchange Emergency Mitigation Service (EEMS), which automatically applies a URL Rewrite mitigation to block exploitation attempts. EEMS must be enabled and running as a Windows service on supported Exchange deployments. For air-gapped or offline servers, administrators should use the latest Exchange On-premises Mitigation Tool (EOMT). The mitigation can be applied via the Exchange Management Shell using the command: .EOMT.ps1 -CVE "CVE-2026-42897" for single servers, or Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897" for all servers.
Administrators should inventory all internet-facing Exchange servers, confirm that emergency mitigations are applied, and prioritize protection of OWA-enabled servers that are externally reachable. Known side effects of the mitigation include the loss of OWA Print Calendar functionality, issues with inline image display, and lack of support for OWA Light mode. Workarounds include using Outlook Desktop or sending images as attachments.
Detection recommendations include monitoring for anomalous OWA-driven browser activity, auditing email logs for suspicious crafted emails, and reviewing authentication logs for signs of session hijacking or credential misuse. Organizations should also review their incident response plans and ensure that security teams are prepared to respond to potential exploitation.
References
- Microsoft Security Response Center: Guidance for CVE-2026-42897
- BleepingComputer: Microsoft warns of Exchange zero-day flaw exploited in attacks
- SecurityWeek: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
- CISA Known Exploited Vulnerabilities Catalog
- HelpNetSecurity: Exchange Server CVE-2026-42897 exploited
- The Hacker News: On-Prem Microsoft Exchange Server CVE
- Reddit: Active exploitation of Microsoft Exchange Server
About Rescana
Rescana is a leader in third-party risk management (TPRM) and cyber threat intelligence. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their extended supply chain and digital ecosystem. By leveraging advanced analytics, automation, and real-time threat intelligence, Rescana enables security teams to proactively identify vulnerabilities, prioritize remediation, and ensure compliance with industry standards. For more information about how Rescana can help your organization strengthen its cyber resilience, please visit our website.
We are happy to answer questions at ops@rescana.com.
