A high-severity vulnerability in Microsoft Exchange Server's Outlook Web Access allows attackers to execute arbitrary scripts when victims open crafted emails. The issue affects multiple on-premises Exchange versions and is actively exploited, prompting emergency mitigation steps that may degrade user experience while awaiting full patches.
- Exploited cross-site scripting vulnerability risks browser-based code execution in OWA
- Mitigation may disrupt inline images, calendar printing, and OWA Light functionality
- Full patches available only for Subscription Edition; older versions rely on extended support
Threat signal
The vulnerability identified as CVE-2026-42897 affects multiple Exchange Server iterations, enabling attackers to trigger scripts in a user’s browser through malicious emails opened in Outlook Web Access (OWA). This represents a significant security risk as it can lead to spoofing attacks and unauthorized actions within the context of the affected account.
Despite the lack of detailed exploit disclosure, Microsoft has confirmed that the flaw is actively targeted in the wild. The CVSS score of 8.1 underscores its criticality, highlighting the urgency for organizations to evaluate their exposure and implement available mitigations promptly.
Operator exposure
Organizations operating on-premises Exchange Servers, especially versions 2016, 2019, and Subscription Edition, face direct exposure to this flaw regardless of update status. The feature-rich OWA interface used in email access is the attack surface, and environments disconnected from the cloud or running older software are particularly vulnerable.
The mitigation provided through the Exchange Emergency Mitigation Service temporarily reduces risk but comes with trade-offs, such as disabled inline images and impaired calendar printing. Additionally, OWA Light mode, deprecated since 2024, may not function reliably, prompting administrators to consider upgrades or alternative access methods to reduce operational disruption.
What teams should watch
Security and infrastructure teams should prioritize deploying Microsoft's emergency mitigation to reduce immediate risk while preparing for full patch deployment. Monitoring for suspicious OWA activity and email anomalies is critical to detect potential exploitation attempts early.
Given that only the Exchange Subscription Edition will receive a publicly available patch and older versions depend on Extended Security Updates enrollment, teams must assess their support status and plan accordingly. Upgrading away from deprecated versions and considering cloud-based alternatives may reduce long-term risk and operational complications.