ctipilot.ch

Home · Live brief · Daily brief 2026-05-17

Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation

notable vulnerability discovered 2026-05-17 05:00 UTC

Entities: Embargo

Part of run 2026-05-17-4381863a (intel · Claude Opus 4.7)

UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15; BleepingComputer, 2026-05-15). This chain is separate from the actively-exploited CVE-2026-42897 (OWA stored XSS, no permanent patch; EEMS mitigation M2.1.x only) that the 2026-05-16 deep dive covered. ZDI verbatim: "Orange Tsai (DEVCORE Research Team) earned $200,000 after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange."

The three bugs are under a 90-day Pwn2Own embargo — Microsoft must patch by approximately 2026-08-14 before ZDI publishes technical detail. Operationally, the compound risk for on-premises Exchange has materially worsened in 48 h: one actively exploited XSS without a permanent patch (M2 mitigation only, with known OWA Calendar Print / inline-image side-effects), plus a fresh unauthenticated SYSTEM RCE class that defenders cannot pre-emptively patch. CVE-2026-42897 remains in CISA KEV (added 2026-05-15) with EEMS as the only listed mitigation; the Microsoft Exchange blog post addressing-exchange-server-may-2026-vulnerability-cve-2026-42897 linked from the MSRC advisory returns 502 on direct fetch and the MSRC entry itself is the operational primary (MSRC CVE-2026-42897).

Defender response shift for on-premises Exchange 2016/2019/SE: treat the platform as severely threatened. Verify EEMS service is enabled (Get-ExchangeDiagnosticInfo, mitigation M2.1.x present in applied list); restrict ECP/EWS/OWA reachability from the internet at the WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration; assume hypothetical compromise paths through both OWA-browser-context attacks (CVE-2026-42897) and a direct service-account SYSTEM RCE chain (Pwn2Own DEVCORE) until Microsoft ships permanent fixes for both. Exchange Online tenants are not in scope for either.

“UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15 …” — ctipilot v2 brief (migrated)

Action items

  • Treat on-premises Microsoft Exchange as severely threatened through August Patch Tuesday 2026. Verify EEMS service is enabled and mitigation M2.1.x is in the applied list (Get-ExchangeDiagnosticInfo); restrict ECP / EWS / OWA reachability from the internet at WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration. The compound risk (CVE-2026-42897 active XSS, no permanent patch + DEVCORE Pwn2Own SYSTEM RCE chain under 90-day embargo) does not have a single mitigation. Reference: § 4 UPDATE on Exchange.
vulnerabilities actively-exploited rce zero-day cisa-kev no-patch global europe switzerland CVE-2026-42897