Microsoft Exchange CVE-2026-42897 OWA-XSS — same-week compounding with the DEVCORE Pwn2Own chain

The Exchange story is unusual in that the cross-day chain plays out within W20 rather than as a multi-week arc. Friday 2026-05-15: Microsoft confirms active exploitation of CVE-2026-42897, an OWA stored XSS in calendar-invite rendering; CISA adds it to KEV with a 2026-05-29 federal remediation deadline; NCSC.ch publishes Security Hub post #12577 the same day (Microsoft MSRC; NCSC.ch #12577; daily 2026-05-16). Thursday 2026-05-15 (Pwn2Own Day Two, parallel timeline): Orange Tsai / DEVCORE earned $200,000 by chaining three bugs to achieve pre-auth RCE as SYSTEM on Exchange Server SE per Zero Day Initiative published results; ZDI does not publish per-bug technical detail before vendor patches under the standard 90-day disclosure clock (ZDI Day Two; daily 2026-05-17 UPDATE).

These are two distinct findings (CVE-2026-42897 stored XSS active in the wild vs. the DEVCORE three-bug chain that achieved pre-auth SYSTEM RCE in a controlled-research setting) and at week-end Microsoft has not formally linked them; but for any threat actor with a foothold via the OWA-XSS, post-foothold escalation primitives along the lines DEVCORE demonstrated are the natural next-stage concern. The composite threat picture is: pre-auth SYSTEM RCE plausibly weaponisable from public research before Microsoft ships a permanent patch; pre-auth session takeover via the OWA-XSS possible today. EEMS / EOMT mitigations address the XSS attack path only. Hunt scope: OWA w3wp.exe worker children spawning anomalous PowerShell / WMI; mailbox-role-assignment audit trail for unexpected privilege transitions.