Microsoft has confirmed that a high-severity zero-day vulnerability in Exchange Server is being actively exploited in the wild — and there is no patch available yet. Tracked as CVE-2026-42897, the flaw is a cross-site scripting (XSS) vulnerability rooted in improper neutralization of input during web page generation within the Outlook Web Access (OWA) interface. Organizations running on-premises Exchange deployments have been put on high alert, with security teams scrambling to apply stopgap mitigations while Microsoft prepares a permanent fix slated for future cumulative update releases.
The disclosure lands at a particularly uncomfortable moment. Just days before Microsoft's confirmation, Pwn2Own Berlin 2026 saw prominent researcher Orange Tsai of DEVCORE chain together three separate Exchange bugs to achieve remote code execution with SYSTEM-level privileges, earning a $200,000 prize. While the Pwn2Own chain is an entirely distinct set of vulnerabilities from CVE-2026-42897, the timing reinforces a well-established reality among threat intelligence practitioners: Exchange Server continues to be one of the most lucrative targets in enterprise infrastructure.
What Is CVE-2026-42897?
CVE-2026-42897 is classified as an improper neutralization of input during web page generation — the category that covers reflected and stored cross-site scripting attacks. The vulnerability exists in the Outlook Web Access component of Microsoft Exchange Server, the browser-based email client that allows users to access their Exchange mailboxes from any web browser.
The CVSS base score is 8.1, placing it squarely in the High severity bracket. The scoring reflects the real-world impact potential: successful exploitation requires an attacker to send a specially crafted email, and if the victim opens that message in OWA under specific interaction conditions, arbitrary JavaScript executes within the victim's browser session in the context of the Exchange OWA origin.
Microsoft's official guidance describes the attack scenario as requiring the target to open the malicious email and for certain browser interaction conditions to be met. The precise nature of those interaction conditions has not been fully disclosed — a common practice to limit the ability of threat actors to refine their techniques before a patch is available. What Microsoft has confirmed is that active exploitation against on-premises Exchange deployments is occurring, though the identity of the threat actor and the scale of the campaign have not been publicly attributed.
Critically, Exchange Online is not affected. Microsoft's cloud-hosted email service runs on a continuously updated infrastructure that has already received protections. The vulnerability exclusively impacts organizations that have chosen — or are required by regulatory, operational, or legacy constraints — to maintain on-premises Exchange deployments.
Affected Versions
According to Microsoft's advisory and confirmed by multiple security outlets including Security Affairs and The Hacker News, the following product versions are vulnerable:
- Exchange Server 2016 — all current cumulative update versions
- Exchange Server 2019 — all current cumulative update versions
- Exchange Server Subscription Edition (SE) — current releases
Exchange Server 2016 and 2019 are in extended support phases, which means they receive security updates exclusively through Microsoft's Period 2 Extended Security Update (ESU) program. Organizations not enrolled in that program may find themselves in a difficult position: they are running vulnerable software and the permanent patch, when it arrives, will only be delivered through an ESU channel that requires a separate licensing commitment.
The permanent fix is planned for delivery in:
- Exchange Server SE RTM (upcoming release)
- Exchange Server 2016 CU23
- Exchange Server 2019 CU14 and CU15
Until those updates ship, the only available defenses are the mitigations Microsoft has outlined — no emergency out-of-band patch has been released.
How the Attack Works
Understanding the mechanics of this vulnerability requires a brief grounding in how XSS attacks function in webmail contexts, and why they are particularly dangerous in that setting.
OWA is a web application that renders email content inside a browser. Email messages can contain HTML, and OWA must walk a careful line: it needs to render legitimate formatting while stripping out malicious code. When this sanitization fails — when the application does not properly neutralize user-supplied input before inserting it into the generated web page — an attacker can inject JavaScript that executes in the victim's browser session.
In the case of CVE-2026-42897, the attack chain begins with the delivery of a specially crafted email. The attacker does not need any credentials, any prior foothold, or any access to the target organization's network. Email is, by design, delivered from the outside world into the inbox. The attacker simply needs to know — or guess — a valid email address for someone at the target organization who uses OWA.
When the victim opens the crafted message in OWA and certain browser interaction conditions are satisfied, the malicious JavaScript payload executes. Because it runs in the context of the OWA origin, the script has access to whatever session state, cookies, tokens, and DOM data are available within that browser session. This enables a range of follow-on attacks:
- Session token theft: The script can exfiltrate session cookies or authentication tokens, allowing the attacker to hijack the victim's Exchange session from a remote machine.
- Email exfiltration: JavaScript executing in the OWA context can make authenticated API calls on behalf of the victim — reading, forwarding, or deleting emails.
- Credential harvesting: The script can inject fake login prompts or redirect the victim to attacker-controlled infrastructure.
- Internal reconnaissance: If OWA exposes organizational directory information (common in Exchange deployments), injected scripts can enumerate internal users and potentially map the organization's structure.
- Lateral movement facilitation: Captured session tokens or harvested credentials can be used to pivot deeper into the environment.
The combination of zero user interaction beyond opening an email, no authentication requirement for the attacker, and execution within a privileged browser context makes this a particularly effective initial access vector.
Why No Patch — And What That Means
Infosecurity Magazine and ISS Source both noted that Microsoft's response to CVE-2026-42897 deviates from the typical Patch Tuesday model. Rather than a security update, Microsoft has provided mitigation guidance while engineering teams work toward permanent fixes in upcoming cumulative updates.
This situation is not unprecedented for Exchange. The product's complexity — decades of accumulated code, deeply integrated Windows Server components, intricate dependencies between transport, storage, and web rendering subsystems — means that patches require careful staging and regression testing. A botched Exchange patch can break mail flow for an entire organization, which is why Microsoft typically batches Exchange fixes into cumulative updates rather than shipping emergency patches.
For organizations running Exchange 2016 or 2019 outside the ESU program, the calculus is even more uncomfortable. The permanent fix will only arrive through channels they are not currently subscribed to. This creates a financial and operational decision point: enroll in ESU to receive the patch when it ships, implement mitigations and accept residual risk, or accelerate migration to Exchange Online or another platform.
Pwn2Own Berlin 2026: Exchange as a High-Value Target
The active exploitation of CVE-2026-42897 arrived in the same news cycle as a notable research achievement at Pwn2Own Berlin 2026. On Day 2 of the competition, Orange Tsai of DEVCORE — one of the most respected Exchange security researchers in the world — chained together three previously unknown vulnerabilities to achieve remote code execution with SYSTEM privileges on Exchange Server. The demonstration earned $200,000 from the Pwn2Own prize pool.
It is worth being clear: the Pwn2Own chain is entirely separate from CVE-2026-42897. These are different vulnerabilities, discovered through different research processes, affecting the product in different ways. The Pwn2Own bugs will go through Trend Micro's Zero Day Initiative disclosure process and will eventually reach Microsoft's attention through coordinated vulnerability disclosure.
What the Pwn2Own result does reinforce is the sustained research and threat actor interest in Exchange as a target. Orange Tsai's history with Exchange is well documented — DEVCORE's research was instrumental in uncovering the ProxyLogon (CVE-2021-26855) and ProxyShell vulnerability chains that enabled mass exploitation campaigns in 2021. Those campaigns led to the compromise of tens of thousands of Exchange servers globally, with nation-state threat actors including HAFNIUM leading exploitation before patches were even available to the public.
The pattern repeats: Exchange is complex enough to contain deep, chainable vulnerabilities; valuable enough to attract elite researchers and threat actors alike; and common enough in enterprise environments that successful exploitation translates to broad impact.
Why Exchange Remains a High-Value Target
To understand why Exchange attracts such sustained attack surface research and active exploitation, it helps to consider what a compromised Exchange server represents to a threat actor.
Email is the intelligence crown jewel. A compromised Exchange server provides access to the entire email history of an organization — contracts, financial discussions, personnel matters, M&A communications, legal correspondence, and executive communications. For nation-state espionage actors and financially motivated threat groups alike, this intelligence value is immense.
Exchange is deeply integrated with Active Directory. Exchange Server communicates extensively with Active Directory for authentication, address book lookups, and policy enforcement. A foothold on Exchange often provides privileged read access to directory data and, in many configurations, elevated rights that can be leveraged for domain compromise.
On-premises deployments are often under-patched. Cloud-hosted services receive continuous updates pushed by the provider. On-premises deployments require deliberate administrative action to patch. In large organizations with change management processes, complex dependencies, and limited maintenance windows, Exchange servers can lag months behind available security updates.
Exchange sits on the network perimeter by design. Receiving email from the internet requires Exchange to be reachable from the internet, at least indirectly. This means that vulnerabilities in Exchange's internet-facing components — OWA, Exchange Web Services, ActiveSync, Autodiscover — are directly reachable by external attackers without requiring them to first breach any other layer of defense.
Legacy deployments are common. Many organizations run Exchange versions that are at or beyond end-of-mainstream-support, often due to application dependencies, regulatory requirements, or the significant operational effort required to migrate or upgrade. These organizations face longer exposure windows for any given vulnerability.
Mitigation Steps
With no patch available, organizations must rely on the mitigations Microsoft has documented. Security teams should treat these as urgent, not optional, given confirmed active exploitation.
Apply Microsoft's official mitigation scripts. Microsoft has released mitigation guidance through the Exchange Health Checker and, in some cases, specific mitigation scripts. Check the MSRC Update Guide and the Microsoft Tech Community Exchange blog for the most current mitigation instructions. These should be applied to all affected Exchange servers immediately.
Restrict OWA access. If OWA is not required for all users, disable it for accounts that do not need browser-based access. For organizations where OWA is required, consider restricting it to VPN-connected sessions or specific IP ranges where operationally feasible. Reducing the population of users who access OWA directly reduces the attack surface for the email-delivery vector.
Enable and review email filtering. Configure anti-malware and advanced threat protection policies to flag or quarantine emails containing unusual HTML constructs, obfuscated JavaScript, or anomalous content patterns. While sophisticated attackers may bypass signature-based detection, layered email filtering provides meaningful friction.
Implement Content Security Policy headers. Where possible, implement or strengthen HTTP Content Security Policy (CSP) headers for OWA. A well-configured CSP restricts the origins from which scripts can load and execute, which can limit the impact of successful XSS exploitation even if the initial injection occurs. Note that OWA's CSP configuration options are limited compared to custom web applications, but any hardening is worthwhile.
Enable multi-factor authentication. If MFA is not already enforced for all OWA access, implement it immediately. MFA does not prevent XSS execution, but it significantly raises the bar for attackers attempting to use stolen session tokens or credentials for follow-on access. A captured session token is far less useful if the attacker also needs to satisfy an MFA challenge to establish a new session.
Monitor for anomalous OWA activity. Increase logging verbosity for OWA access and set up alerts for unusual patterns: access from unexpected geographic locations, abnormal session durations, unusual API call patterns (such as bulk email reads or unexpected email forwarding rules), and access from IP addresses not associated with known VPN exit nodes.
Assess ESU enrollment. For organizations running Exchange 2016 or 2019, assess whether enrollment in the Period 2 Extended Security Update program is warranted. The permanent fix for CVE-2026-42897 will be delivered through that channel, and the current active exploitation situation makes a strong case for the investment.
Accelerate migration planning. Active exploitation of an unpatched vulnerability is a forcing function for migration conversations that may have been deprioritized. Exchange Online, which is not affected by CVE-2026-42897, provides a target state that eliminates this class of on-premises risk. Organizations that have been deferring migration should revisit that timeline in light of the current threat landscape.
Monitoring and Detection Guidance
Detecting exploitation of an XSS vulnerability is inherently more difficult than detecting network-layer attacks, because the malicious activity occurs within the victim's browser session rather than at the network perimeter. However, several detection approaches are viable.
OWA and IIS logs. Review Internet Information Services (IIS) logs on Exchange servers for unusual request patterns to OWA URLs. Look for requests containing script tags, encoded JavaScript, unusual parameter strings, or requests to endpoints that are not typically called through normal OWA usage. Baseline normal usage patterns first to reduce false positives.
Email gateway telemetry. If you operate an email security gateway that performs deep inspection of inbound messages, configure it to log and alert on emails containing JavaScript payloads, obfuscated HTML, or unusual combinations of MIME types. Look for emails from external senders that contain HTML parts with script-adjacent constructs.
Browser-side telemetry. Endpoint Detection and Response (EDR) tools that include browser telemetry can capture JavaScript execution events. If your EDR platform supports this, look for unusual script execution within the browser process when OWA tabs are active.
Forwarding rule creation. A common post-exploitation action following OWA session compromise is the creation of email forwarding rules to exfiltrate ongoing communications. Monitor Exchange for new forwarding rules created on user accounts, particularly rules that forward to external domains. This can be done via Exchange PowerShell: Get-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object {$_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo}.
Authentication anomalies. After stealing a session token, an attacker may attempt to establish new authenticated sessions. Monitor for authentication events from unexpected IP addresses, particularly for accounts that recently accessed OWA, and for sessions established shortly after normal working hours for the affected user's time zone.
Threat intelligence feeds. Help Net Security notes that indicators of compromise associated with campaigns exploiting CVE-2026-42897 may emerge through threat intelligence sharing communities. Ensure your organization subscribes to relevant ISAC feeds, Microsoft's threat intelligence publications, and reputable commercial threat intelligence sources, and integrate those indicators into your SIEM detection rules.
The Broader Patch Gap Problem
The situation with CVE-2026-42897 illustrates a challenge that extends well beyond this single vulnerability. The gap between vulnerability disclosure and patch availability — particularly when that gap involves active exploitation — places defenders in an inherently reactive posture.
BleepingComputer's coverage highlights that the confirmed exploitation predates the public advisory, meaning some organizations were being targeted before the security community was even aware of the vulnerability's existence. This is the defining characteristic of a zero-day: the defenders are always behind.
The ESU program structure for Exchange 2016 and 2019 adds another layer of complexity. Microsoft's decision to route security patches for legacy versions through a paid ESU program is commercially understandable but operationally challenging. Organizations that have not budgeted for ESU enrollment may find themselves unable to apply the permanent fix when it ships without first resolving a procurement and licensing process.
Security teams should use this moment to revisit their patch management posture for Exchange specifically and internet-facing Microsoft infrastructure more broadly. The cadence of significant Exchange vulnerabilities over the past five years — ProxyLogon, ProxyShell, ProxyNotShell, and now CVE-2026-42897, alongside the Pwn2Own chains — suggests that treating Exchange patch deployment as a low-urgency administrative task is a risk management failure.
Conclusion
CVE-2026-42897 represents the kind of vulnerability scenario that security teams dread: a high-severity flaw with confirmed active exploitation, no patch available, and a product version matrix that means many organizations will face additional hurdles even when a patch is eventually released.
The immediate priorities are clear. Apply Microsoft's published mitigations now. Restrict OWA access where possible. Increase monitoring on Exchange infrastructure and OWA session activity. Assess whether ESU enrollment is appropriate for legacy Exchange versions. And begin or accelerate planning for migration to Exchange Online if on-premises Exchange is not a hard operational requirement.
The Pwn2Own context, while involving a separate vulnerability chain, serves as a useful reminder: some of the world's most skilled security researchers continue to find deep, chainable flaws in Exchange, and threat actors follow the same research ecosystem. Exchange is not becoming safer over time simply through the passage of time — it requires active, ongoing security investment.
Organizations that treat this advisory as a signal to harden their Exchange posture now will be in a materially better position than those who wait for a patch before acting. The threat actor behind the confirmed active exploitation is already operating in the environment. The question is whether defenders will narrow the window before more damage is done.
For the latest mitigation guidance and updates on patch availability, monitor the Microsoft Tech Community Exchange blog and the MSRC Update Guide directly. The situation is developing and guidance may be updated as Microsoft's investigation progresses.