Exchange Zero-Day CVE-2026-42897 Under Attack, No Patch in Sight

Picture a medieval town that spent a fortune on stone walls, iron gates, and a moat, then left the postman's side door propped open with a brick. That's roughly where Exchange OWA customers found themselves last Thursday. The walls held. The mail slot didn't.

Microsoft disclosed CVE-2026-42897 on Thursday May 18, an actively exploited zero-day in Outlook Web Access, and four days on there is still no patch. The fix, in Microsoft's own words, is coming "in the future".

What Happened

The short version: a cross-site scripting flaw in OWA lets an unauthenticated attacker pull off spoofing attacks over the network, and as Dark Reading reported, real exploitation is already in the wild. CISA added the CVE to its KEV catalog on Friday, which is the federal equivalent of pulling the fire alarm.

The timing is almost comedic. The bug landed two days after a chunky Patch Tuesday release that, ironically, contained no zero-days at all. Defenders had barely finished closing the previous month's tickets before this one slid into the queue with no fix attached.

Affected products are the on-prem trio: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Microsoft slapped a CVSS of 8.1 on it. NIST's National Vulnerability Database disagreed and went with a medium-severity 6.1. That gap matters, because anyone running automated severity gating on their patch pipeline is going to get a different answer depending on which feed they trust.

The Centre for Cybersecurity Belgium published its own advisory on Monday, and the Belgians did not mince words. Successful exploitation, the CCB warned, can hand an attacker access to a victim's Outlook mailbox and session tokens, plus the ability to make unauthorized changes to mailbox settings or modifications to email content. In other words, the mail slot isn't just open. The attacker can also reach in and reshuffle the letters.

Technical Anatomy

Strip away the branding and this is a textbook XSS chain. Microsoft's own description tells the story plainly: "An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context." That's it. A booby-trapped email, a victim who opens it in OWA, and the attacker's JavaScript is now running with the user's session.

XSS, lest anyone forget, is one of the most common bug classes on the planet and a permanent fixture on the OWASP Top 10. Bogdan Tiron, founder of penetration testing firm Fortbridge, made the point on LinkedIn that XSS "still owns enterprise mail in 2026" and that "the boring vulnerabilities are the ones that keep working". He's right, and anyone who has triaged a webmail product knows the guts of it: rich HTML rendering, decades of legacy markup compatibility, and a sanitizer that has to be perfect every single time against an attacker who only has to win once.

Tiron's framing of the impact is the part worth tattooing on a wall somewhere. The risk, he wrote, "isn't server compromise. It's mailbox compromise, reading mail, sending emails as the victim, stealing session tokens, planting forwarding rules that survive password resets." That last detail is the boring bit that ruins quarters. A forwarding rule sitting quietly in a CFO's mailbox doesn't care that IT just rotated the password. It keeps siphoning invoices.

From there the path to business email compromise or ransomware staging is short and well-trodden. You don't need RCE on the Exchange host to wire-fraud a procurement team or seed an internal phishing campaign that bypasses every external email filter the org owns. You just need one credentialed-looking message from inside.

Who Gets Burned

On-prem Exchange shops are the obvious bag-holders here, and that's not a small population. Regulated industries, sovereign clouds, and anyone whose compliance team flinched at the idea of moving mailboxes to M365 are still running Exchange 2016, 2019, or SE in a basement somewhere. That includes a chunk of fintech back-offices, payments processors with strict data-residency requirements, and the iGaming operators who like keeping operational comms on infrastructure they physically control.

The verticals I'd worry about most over the next 90 days are the ones where mailbox compromise translates directly into money movement. Payments operations teams approve supplier changes by email. Treasury desks confirm wire details by email. Sportsbook operators coordinate with payment providers and KYC vendors by email. A forwarding rule on the right inbox is worth more than any ransomware payload.

Crypto and DeFi shops with any kind of corporate Exchange footprint should be especially twitchy. Anyone who has watched a bridge exploit unfold knows the attacker rarely breaks the cryptography. They social-engineer an operator. A persistent mailbox foothold is exactly the kind of pre-positioning that turns into a "how did they know our multisig signers' schedule" post-mortem six weeks later.

Ad-tech and enterprise infra companies that have already migrated to Exchange Online aren't off the hook either. Plenty of acquired subsidiaries still run their own on-prem Exchange because the integration project got punted to next quarter for three years running. Those forgotten servers are now CISA-listed liabilities sitting in your CMDB under "legacy, do not touch".

Playbook for Security Teams

First, do the unglamorous thing Microsoft is begging customers to do. Confirm the Exchange Emergency Mitigation Service is enabled. It was released in 2021, it's enabled by default, and Redmond has pushed a mitigation for 2016, 2019, and SE through it automatically. Microsoft's exact line is worth quoting: "Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away." Believe them.

If EM Service is off, the fallback is the updated Exchange On-premises Mitigation Tool (EOMT), applied per-server or run through an elevated Exchange Management Shell. Be warned, the known mitigations break OWA Print Calendar and OWA light functionality. That's a help-desk ticket storm worth eating.

Beyond the official mitigations, hunt for the persistence patterns Tiron flagged. Audit every mailbox for inbox rules, especially forwarding and redirect rules created in the last fortnight. Invalidate OWA session tokens en masse if your tenant supports it. Review sent items for messages that look like internal phishing or invoice-redirect attempts. Map the activity to the relevant ATT&CK techniques around email collection and rule manipulation so your detections survive the next variant of this bug.

And update the patch-management runbook now, while it's quiet, because Microsoft has given exactly zero timetable for the actual fix. Have a maintenance window pre-booked for whenever it lands.

Key Takeaways

• No patch, active exploitation, KEV-listed. CVE-2026-42897 is being used in the wild and Microsoft's ETA is "in the future".
• Enable Exchange EM Service today. It's the recommended mitigation, ships enabled by default since 2021, and pushes the fix automatically to 2016, 2019, and SE.
• The risk is mailbox compromise, not server takeover. Expect BEC, forwarding-rule persistence, and session-token theft, not ransomware on the Exchange host.
• CVSS 8.1 vs NIST 6.1. Automated severity gating will give inconsistent answers. Override manually and treat it as critical.
• Boring bugs keep winning. XSS in webmail in 2026 is not a punchline. It's the brick holding the postman's door open while the keep stands proud behind it.