Microsoft confirmed this month that CVE-2026-42897, a cross-site scripting flaw in on-prem Microsoft Exchange Server, is being exploited in the wild. The advisory carries an “Exploitation Detected” assessment and a CVSS score of 8.1, and the attack pattern is depressingly familiar: a user opens a crafted message in Outlook Web Access, “certain interaction conditions” are met, and arbitrary JavaScript runs in the user’s browser context. Exchange Online is unaffected; everyone running 2016, 2019, or Subscription Edition SE — at any update level — is in scope.
The shape of the bug
Per the advisory, the root cause is “improper neutralization of input during web page generation” — a textbook stored-XSS pattern, dressed up as a spoofing attack because the rendered payload can impersonate UI the user trusts. In practice, that means the same exploit can be chained into session-token theft, mailbox-rule manipulation, or staging a follow-on phish against the rest of the org from a credible internal sender. CISA added the CVE to its Known Exploited Vulnerabilities catalog on the day of disclosure and set May 29, 2026 as the federal remediation deadline. Treat that as the floor, not the ceiling.
What Microsoft is shipping right now
There is no permanent patch on day one. Microsoft is using the Exchange Emergency Mitigation Service — the auto-mitigation channel introduced after the ProxyLogon era — to push a temporary block. EEMS is on by default in supported builds, so most environments will already have the mitigation. For air-gapped or disconnected estates, Microsoft is shipping the Exchange On-Premises Mitigation Tool as a manual install, applicable per-server or org-wide via PowerShell. The broader May Patch Tuesday is unusually heavy too — per The Hacker News, 138 vulnerabilities were addressed, including a critical Windows DNS heap overflow (CVE-2026-41096, CVSS 9.8) and a SYSTEM-privilege escalation in Defender (CVE-2026-41091).
What this means for practitioners
Three immediate actions for the response team:
- Confirm EEMS is enabled on every on-prem Exchange node before assuming you are mitigated. The default is on, but configuration drift is real.
- Hunt for the obvious post-exploit signals: new mailbox rules, unexpected OAuth grants on the user’s identity, anomalous OWA session counts in audit logs.
- Re-evaluate the on-prem timeline. This is the fourth significant on-prem Exchange CVE in eighteen months. If the migration plan to Exchange Online is still labelled “FY27 planning”, the security case for accelerating it just got stronger.
Full technical writeups are available in The Hacker News coverage linked above.
