Microsoft Exchange CVE-2026-42897 — actively-exploited OWA stored-XSS, no permanent patch, Pwn2Own three-bug chain compounds the picture

If you did nothing this week: every on-premises Exchange Server 2016 / 2019 / SE deployment with Outlook Web Access reachable from the public internet has been within an active exploitation window since the CISA KEV addition on 2026-05-15. The exploit chain is a stored XSS in OWA's calendar-invite rendering pipeline that executes attacker JavaScript in the victim's session context the moment a crafted invite is opened in a browser; subsequent stages perform internal-mailbox enumeration, mass email-rule creation, and OWA-token theft for lateral SAML / OAuth abuse against connected M365 tenants. Microsoft has shipped only the EEMS (Exchange Emergency Mitigation Service) rule and the EOMT script as temporary mitigations — there is no permanent code patch as of week-end (Microsoft MSRC; Microsoft Exchange Team blog; NCSC.ch Security Hub #12577).

The threat picture compounded on 2026-05-15 when a DEVCORE / Orange Tsai entry at Pwn2Own Berlin Day Two earned $200,000 by chaining three bugs to achieve pre-auth RCE as SYSTEM on Exchange Server SE per the Zero Day Initiative published results (ZDI Day Two; ZDI does not publish per-bug technical detail before vendor patches under the standard 90-day disclosure clock). The DEVCORE chain has not been linked to current ITW exploitation, but Microsoft has not yet issued an out-of-band advisory; defenders should assume that a chained variant combining OWA-XSS initial access with the DEVCORE elevation primitives will become the operationally dominant Exchange threat well before any patch lands (daily 2026-05-16; daily 2026-05-17 UPDATE). For Swiss federal estates running on-premises Exchange (the predominant configuration in cantonal administration and federal-classified-handling environments) the immediate hunt is OWA w3wp.exe worker children spawning anomalous PowerShell / WMI in the days following inbound calendar-invite traffic; the second hunt is the EOMT-script idempotency check (organisations who ran it before the 2026-05-15 rule version will have stale mitigation state).