DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42897: CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA

#security #cve #cybersecurity

CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA

Vulnerability ID: CVE-2026-42897
CVSS Score: 8.1
Published: 2026-05-14

CVE-2026-42897 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting the Outlook on the web (OWA) component of Microsoft Exchange Server. The flaw stems from improper neutralization of user-supplied input during web page generation. Discovered as a zero-day and actively exploited in the wild, the vulnerability allows unauthenticated attackers to execute arbitrary JavaScript within the security context of a targeted user's session, facilitating session hijacking and identity spoofing.

TL;DR

Actively exploited reflected XSS in Exchange Server OWA allows unauthenticated attackers to hijack authenticated sessions via crafted URLs. Microsoft released out-of-band updates and an IIS URL rewrite mitigation (EEMS M2) to address the flaw.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE: CWE-79
  • Attack Vector: Network
  • CVSS Score: 8.1
  • Impact: Session Hijacking / High Confidentiality & Integrity
  • Exploit Status: Actively Exploited
  • KEV Status: Listed

Affected Systems

  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019
  • Microsoft Exchange Server Subscription Edition
  • Microsoft Exchange Server 2016: <= Cumulative Update 23 (Fixed in: Cumulative Update 23 May 2026 SU)
  • Microsoft Exchange Server 2019: <= Cumulative Update 15 (Fixed in: Cumulative Update 14/15 May 2026 SU)
  • Microsoft Exchange Server Subscription Edition: RTM (Fixed in: May 2026 SU)

Mitigation Strategies

  • Apply the official out-of-band Security Updates (SUs) and Cumulative Updates (CUs) provided by Microsoft.
  • Ensure the Exchange Emergency Mitigation Service (EEMS) is active and has applied the M2 or M2.1 IIS URL Rewrite rule.
  • Monitor IIS logs for anomalous query strings, URL paths containing encoded script tags, and unexpected OWA access patterns.
  • Implement network-level Web Application Firewall (WAF) rules to detect and block common Cross-Site Scripting payload structures targeting Exchange endpoints.

Remediation Steps:

  1. Download the appropriate Security Update or Cumulative Update for the installed version of Microsoft Exchange Server.
  2. Install the update on all internal and edge Exchange Server instances.
  3. Verify the installation of the EEMS M2 mitigation using the Get-ExchangeServer PowerShell cmdlet.
  4. Review IIS logs to identify any accounts that interacted with malicious URLs prior to the patch application.
  5. Revoke active sessions and enforce password resets for any compromised accounts.

References

Read the full report for CVE-2026-42897 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)