Home · Live brief · Daily brief 2026-05-16
CVE-2026-42897 — Microsoft Exchange Server 2016 / 2019 / SE: stored XSS in OWA, actively exploited, no permanent patch
Entities: NCSC-CH
Part of run 2026-05-16-5bc123a0 (intel · Claude Opus 4.7)
CVE-2026-42897 (CWE-79, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, base 8.1) is a stored / reflected cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, disclosed by Microsoft on 2026-05-14 alongside the May 2026 Patch Tuesday cycle (Microsoft MSRC, 2026-05-14 · Microsoft Exchange Team, 2026-05-14 · NCSC-CH Security Hub #12577, 2026-05-15 · BSI WID-SEC-2026-1536, 2026-05-14 · NCSC-NL NCSC-2026-0159, 2026-05-15). An unauthenticated attacker delivers a specially crafted email; when the recipient opens it in OWA and a documented set of interaction conditions are met, arbitrary JavaScript executes in the OWA browser context — yielding session-token theft, content spoofing, and onward lateral phishing from the now-trusted sender. Microsoft has confirmed Exploitation Detected (the highest of its three exploitation-status tiers) and assesses the issue as Critical despite the 8.1 base score; CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-15 with a federal remediation deadline of 2026-05-29. Affected: Exchange Server 2016 (all CU levels), Exchange Server 2019 (all CU levels), Exchange Server Subscription Edition (RTM and current CUs). Exchange Online is not affected. There is no permanent patch in the May 2026 Patch Tuesday bundle. Microsoft is shipping only an interim URL-rewrite Mitigation M2 through the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on Exchange 2016 SP1 and later and auto-applies without requiring a service restart; air-gapped or EEMS-disconnected servers, plus deployments where EEMS has been manually disabled, must apply Mitigation M2 by running the Exchange On-Premises Mitigation Tool (EOMT) script from aka.ms/UnifiedEOMT via the Exchange Management Shell. Permanent fixes are forthcoming for Exchange SE RTM (publicly available SU); for Exchange 2016 and Exchange 2019, the permanent update will be distributed only to organisations enrolled in the Period 2 Exchange Server Extended Security Update programme, which is a notable operational risk for any CH/EU public-sector organisation that has not enrolled. Detection: IIS access logs on the front-end Exchange role for /owa/ URLs containing <script> fragments or HTML-encoded equivalents in query strings; Exchange Application Event Log EID 4 (MSExchange Management) for EEMS mitigation-state changes; EDR alerts on browser processes spawning unexpected children from OWA sessions. EEMS verification: Get-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied.
“Current exploitation status: Actively Exploited” — NCSC Switzerland Cyber Security Hub
“Microsoft is supplying a temporary mitigation for this vulnerability through the Exchange Emergency Mitigation Service. We are working on developing and testing a more permanent fix.” — Microsoft MSRC
Action items
- Verify EEMS Mitigation M2 deployed on every on-premises Exchange Server 2016 / 2019 / SE — and apply EOMT manually on air-gapped / EEMS-disconnected / hardened servers. CVE-2026-42897 is actively exploited with no permanent patch; EEMS auto-applies the URL-rewrite mitigation only on Exchange 2016 SP1+ with outbound HTTPS to
officeclient.microsoft.com. RunGet-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsAppliedon every Exchange server; where the M2 identifier is absent, download and execute EOMT fromaka.ms/UnifiedEOMTas Administrator. Then look back to 2026-05-09 in IIS access logs on the front-end Exchange role for/owa/URLs with script-injection payloads — EEMS prevents future exploitation, not prior. - Confirm Period 2 Exchange Server Extended Security Update enrolment for any Exchange 2016 / 2019 production deployment. The permanent CVE-2026-42897 fix for Exchange 2016 / 2019 will be distributed only to Period 2 ESU-enrolled organisations; Exchange SE will receive a publicly available SU. CH/EU public-sector organisations on Exchange 2016 / 2019 should verify ESU enrolment status with their Microsoft licensing partner this week — and where enrolment is not in place, treat EEMS Mitigation M2 as the permanent operational control until migration to Exchange SE or Exchange Online completes. See § 5 (Deep Dive, "Permanent-patch availability" paragraph).