CVE-2026-42897 — Microsoft Exchange Server 2016/2019/SE: OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch; EEMS Mitigation M2 / EOMT)

UPDATE (originally covered 2026-05-15 / deep-dive 2026-05-16): The Microsoft Exchange Team Blog post addressing CVE-2026-42897 was last modified 2026-05-17 to clarify an operational dependency that defenders must verify on every Exchange Mailbox host: the Exchange Emergency Mitigation Service (EM Service / EEMS) — which auto-applies the URL-Rewrite mitigation labelled M2.1.x — only delivers that mitigation when it can reach officemitigations.microsoft.com over outbound HTTPS. Segmented on-premises Exchange 2016 / 2019 / Subscription-Edition deployments that block direct outbound HTTPS from the Mailbox role will therefore not have received the automatic mitigation and remain exposed to the actively-exploited OWA stored-XSS chain.

The CVE remains CISA KEV-listed (added 2026-05-15) with no permanent cumulative-update fix as of 2026-05-18; Microsoft states verbatim "We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards." Exchange Online is unaffected. Operational verification per server: Get-ExchangeDiagnosticInfo -Server <server> -Process EdgeTransport -Component EmergencyMitigation returns Status: Active and rule M2.1.x applied; manual application on hosts that cannot reach the mitigation service: .\EOMT.ps1 -CVE "CVE-2026-42897" from an elevated Exchange Management Shell, or apply the documented URL Rewrite rule by hand.

If you did nothing this week: every on-premises Exchange Server 2016 / 2019 / SE deployment with Outlook Web Access reachable from the public internet has been within an active exploitation window since the CISA KEV addition on 2026-05-15. The exploit chain is a stored XSS in OWA's calendar-invite rendering pipeline that executes attacker JavaScript in the victim's session context the moment a crafted invite is opened in a browser; subsequent stages perform internal-mailbox enumeration, mass email-rule creation, and OWA-token theft for lateral SAML / OAuth abuse against connected M365 tenants. Microsoft has shipped only the EEMS (Exchange Emergency Mitigation Service) rule and the EOMT script as temporary mitigations — there is no permanent code patch as of week-end (Microsoft MSRC; Microsoft Exchange Team blog; NCSC.ch Security Hub #12577).

The threat picture compounded on 2026-05-15 when a DEVCORE / Orange Tsai entry at Pwn2Own Berlin Day Two earned $200,000 by chaining three bugs to achieve pre-auth RCE as SYSTEM on Exchange Server SE per the Zero Day Initiative published results (ZDI Day Two; ZDI does not publish per-bug technical detail before vendor patches under the standard 90-day disclosure clock). The DEVCORE chain has not been linked to current ITW exploitation, but Microsoft has not yet issued an out-of-band advisory; defenders should assume that a chained variant combining OWA-XSS initial access with the DEVCORE elevation primitives will become the operationally dominant Exchange threat well before any patch lands (daily 2026-05-16; daily 2026-05-17 UPDATE). For Swiss federal estates running on-premises Exchange (the predominant configuration in cantonal administration and federal-classified-handling environments) the immediate hunt is OWA w3wp.exe worker children spawning anomalous PowerShell / WMI in the days following inbound calendar-invite traffic; the second hunt is the EOMT-script idempotency check (organisations who ran it before the 2026-05-15 rule version will have stale mitigation state).

UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15; BleepingComputer, 2026-05-15). This chain is separate from the actively-exploited CVE-2026-42897 (OWA stored XSS, no permanent patch; EEMS mitigation M2.1.x only) that the 2026-05-16 deep dive covered. ZDI verbatim: "Orange Tsai (DEVCORE Research Team) earned $200,000 after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange."

The three bugs are under a 90-day Pwn2Own embargo — Microsoft must patch by approximately 2026-08-14 before ZDI publishes technical detail. Operationally, the compound risk for on-premises Exchange has materially worsened in 48 h: one actively exploited XSS without a permanent patch (M2 mitigation only, with known OWA Calendar Print / inline-image side-effects), plus a fresh unauthenticated SYSTEM RCE class that defenders cannot pre-emptively patch. CVE-2026-42897 remains in CISA KEV (added 2026-05-15) with EEMS as the only listed mitigation; the Microsoft Exchange blog post addressing-exchange-server-may-2026-vulnerability-cve-2026-42897 linked from the MSRC advisory returns 502 on direct fetch and the MSRC entry itself is the operational primary (MSRC CVE-2026-42897).

Defender response shift for on-premises Exchange 2016/2019/SE: treat the platform as severely threatened. Verify EEMS service is enabled (Get-ExchangeDiagnosticInfo, mitigation M2.1.x present in applied list); restrict ECP/EWS/OWA reachability from the internet at the WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration; assume hypothetical compromise paths through both OWA-browser-context attacks (CVE-2026-42897) and a direct service-account SYSTEM RCE chain (Pwn2Own DEVCORE) until Microsoft ships permanent fixes for both. Exchange Online tenants are not in scope for either.

CVE-2026-42897 (CWE-79, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, base 8.1) is a stored / reflected cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, disclosed by Microsoft on 2026-05-14 alongside the May 2026 Patch Tuesday cycle (Microsoft MSRC, 2026-05-14 · Microsoft Exchange Team, 2026-05-14 · NCSC-CH Security Hub #12577, 2026-05-15 · BSI WID-SEC-2026-1536, 2026-05-14 · NCSC-NL NCSC-2026-0159, 2026-05-15). An unauthenticated attacker delivers a specially crafted email; when the recipient opens it in OWA and a documented set of interaction conditions are met, arbitrary JavaScript executes in the OWA browser context — yielding session-token theft, content spoofing, and onward lateral phishing from the now-trusted sender. Microsoft has confirmed Exploitation Detected (the highest of its three exploitation-status tiers) and assesses the issue as Critical despite the 8.1 base score; CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-15 with a federal remediation deadline of 2026-05-29. Affected: Exchange Server 2016 (all CU levels), Exchange Server 2019 (all CU levels), Exchange Server Subscription Edition (RTM and current CUs). Exchange Online is not affected. There is no permanent patch in the May 2026 Patch Tuesday bundle. Microsoft is shipping only an interim URL-rewrite Mitigation M2 through the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on Exchange 2016 SP1 and later and auto-applies without requiring a service restart; air-gapped or EEMS-disconnected servers, plus deployments where EEMS has been manually disabled, must apply Mitigation M2 by running the Exchange On-Premises Mitigation Tool (EOMT) script from aka.ms/UnifiedEOMT via the Exchange Management Shell. Permanent fixes are forthcoming for Exchange SE RTM (publicly available SU); for Exchange 2016 and Exchange 2019, the permanent update will be distributed only to organisations enrolled in the Period 2 Exchange Server Extended Security Update programme, which is a notable operational risk for any CH/EU public-sector organisation that has not enrolled. Detection: IIS access logs on the front-end Exchange role for /owa/ URLs containing <script> fragments or HTML-encoded equivalents in query strings; Exchange Application Event Log EID 4 (MSExchange Management) for EEMS mitigation-state changes; EDR alerts on browser processes spawning unexpected children from OWA sessions. EEMS verification: Get-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied.