Exchange CVE-2026-42897 — active OWA-XSS exploitation persisting; no permanent patch; Exchange 2016/2019 permanently exposed without ESU Period 2

If you did nothing this week: Exchange 2016 and 2019 organisations without the Emergency Mitigation Service (EM Service) enabled are being actively targeted via stored-XSS in OWA. Microsoft has no security update — the MSRC advisory states verbatim: "We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards." Exchange 2016/2019 organisations that did not purchase ESU Period 2 licences will never receive the permanent patch and remain reliant on EM Service mitigation indefinitely.

CVE-2026-42897 (CVSS 8.1, CWE-79) is a stored XSS in Exchange Online Web Access. Active exploitation was confirmed by the time the daily brief covered the DEVCORE Pwn2Own Berlin three-bug SYSTEM RCE chain disclosure on 2026-05-16. The EM Service mitigation (M2.1.x) deploys automatically when EM Service is enabled and the server can reach officemitigations.microsoft.com — verify via C:\Program Files\Microsoft\Exchange Server\V15\Logging\MitigationService\MitigationService.log that mitigation ID M2 shows "Applied". Exchange SE is the only version that will receive a public security update; 2016/2019 permanently enter ESU-or-nothing posture for this CVE.

The DEVCORE chain (three chained bugs achieving SYSTEM RCE) disclosed at Pwn2Own Berlin adds a separate exploitation surface — Microsoft has not formally confirmed whether the chain is being weaponised against the same OWA initial-access vector, but the compound-exploitation risk is assessed HIGH given the active OWA-XSS exploitation underway.