CVE-2026-42897 — Microsoft Exchange Server 2016/2019/SE: OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch; EEMS Mitigation M2 / EOMT)

cve · CVE-2026-42897

Coverage timeline

first 2026-05-16 → last 2026-05-16

Briefs

1 distinct

Sources cited

8 hosts

Sections touched

action_items, deep_dive, immediate_actions

Co-occurring entities

see Related entities below

Story timeline

2026-05-16CTI Daily Brief — 2026-05-16
trending_vulnsFirst coverage. Microsoft confirmed Exploitation Detected 2026-05-14; CISA KEV-added 2026-05-15; no permanent patch — EEMS Mitigation M2 auto-applies, EOMT for air-gapped; Exchange 2016/2019 permanent fix gated on Period 2 ESU enrolment. Deep dive § 5.
2026-05-16CTI Daily Brief — 2026-05-16
immediate_actionsFirst coverage. Microsoft confirmed Exploitation Detected 2026-05-14; CISA KEV-added 2026-05-15; no permanent patch — EEMS Mitigation M2 auto-applies, EOMT for air-gapped; Exchange 2016/2019 permanent fix gated on Period 2 ESU enrolment. Deep dive § 5.
2026-05-16CTI Daily Brief — 2026-05-16
deep_diveFirst coverage. Microsoft confirmed Exploitation Detected 2026-05-14; CISA KEV-added 2026-05-15; no permanent patch — EEMS Mitigation M2 auto-applies, EOMT for air-gapped; Exchange 2016/2019 permanent fix gated on Period 2 ESU enrolment. Deep dive § 5.
2026-05-16CTI Daily Brief — 2026-05-16
action_itemsFirst coverage. Microsoft confirmed Exploitation Detected 2026-05-14; CISA KEV-added 2026-05-15; no permanent patch — EEMS Mitigation M2 auto-applies, EOMT for air-gapped; Exchange 2016/2019 permanent fix gated on Period 2 ESU enrolment. Deep dive § 5.

Where this entity is cited

trending_vulns1
immediate_actions1
deep_dive1
action_items1

Source distribution

techcommunity.microsoft.com2 (22%)
msrc.microsoft.com1 (11%)
security-hub.ncsc.admin.ch1 (11%)
wid.cert-bund.de1 (11%)
advisories.ncsc.nl1 (11%)
cisa.gov1 (11%)
microsoft.com1 (11%)
thehackernews.com1 (11%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1

External references

NVD · cve.org · CISA KEV

All cited sources (9)

Items in briefs about CVE-2026-42897 — Microsoft Exchange Server 2016/2019/SE: OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch; EEMS Mitigation M2 / EOMT) (1)

CVE-2026-42897 — Microsoft Exchange Server 2016 / 2019 / SE: stored XSS in OWA, actively exploited, no permanent patch

From CTI Daily Brief — 2026-05-16 · published 2026-05-16 · view item permalink →

CVE-2026-42897 (CWE-79, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, base 8.1) is a stored / reflected cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, disclosed by Microsoft on 2026-05-14 alongside the May 2026 Patch Tuesday cycle (Microsoft MSRC, 2026-05-14 · Microsoft Exchange Team, 2026-05-14 · NCSC-CH Security Hub #12577, 2026-05-15 · BSI WID-SEC-2026-1536, 2026-05-14 · NCSC-NL NCSC-2026-0159, 2026-05-15). An unauthenticated attacker delivers a specially crafted email; when the recipient opens it in OWA and a documented set of interaction conditions are met, arbitrary JavaScript executes in the OWA browser context — yielding session-token theft, content spoofing, and onward lateral phishing from the now-trusted sender. Microsoft has confirmed Exploitation Detected (the highest of its three exploitation-status tiers) and assesses the issue as Critical despite the 8.1 base score; CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-15 with a federal remediation deadline of 2026-05-29. Affected: Exchange Server 2016 (all CU levels), Exchange Server 2019 (all CU levels), Exchange Server Subscription Edition (RTM and current CUs). Exchange Online is not affected. There is no permanent patch in the May 2026 Patch Tuesday bundle. Microsoft is shipping only an interim URL-rewrite Mitigation M2 through the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on Exchange 2016 SP1 and later and auto-applies without requiring a service restart; air-gapped or EEMS-disconnected servers, plus deployments where EEMS has been manually disabled, must apply Mitigation M2 by running the Exchange On-Premises Mitigation Tool (EOMT) script from aka.ms/UnifiedEOMT via the Exchange Management Shell. Permanent fixes are forthcoming for Exchange SE RTM (publicly available SU); for Exchange 2016 and Exchange 2019, the permanent update will be distributed only to organisations enrolled in the Period 2 Exchange Server Extended Security Update programme, which is a notable operational risk for any CH/EU public-sector organisation that has not enrolled. Detection: IIS access logs on the front-end Exchange role for /owa/ URLs containing <script> fragments or HTML-encoded equivalents in query strings; Exchange Application Event Log EID 4 (MSExchange Management) for EEMS mitigation-state changes; EDR alerts on browser processes spawning unexpected children from OWA sessions. EEMS verification: Get-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied.