ctipilot.ch

Home · Live brief · Daily brief 2026-05-18

CVE-2026-42897 Exchange OWA — EM Service auto-mitigation depends on outbound connectivity to officemitigations.microsoft.com

critical vulnerability discovered 2026-05-18 05:00 UTC

Part of run 2026-05-18-2eabc1cf (intel · Claude Opus 4.7)

UPDATE (originally covered 2026-05-15 / deep-dive 2026-05-16): The Microsoft Exchange Team Blog post addressing CVE-2026-42897 was last modified 2026-05-17 to clarify an operational dependency that defenders must verify on every Exchange Mailbox host: the Exchange Emergency Mitigation Service (EM Service / EEMS) — which auto-applies the URL-Rewrite mitigation labelled M2.1.x — only delivers that mitigation when it can reach officemitigations.microsoft.com over outbound HTTPS. Segmented on-premises Exchange 2016 / 2019 / Subscription-Edition deployments that block direct outbound HTTPS from the Mailbox role will therefore not have received the automatic mitigation and remain exposed to the actively-exploited OWA stored-XSS chain.

The CVE remains CISA KEV-listed (added 2026-05-15) with no permanent cumulative-update fix as of 2026-05-18; Microsoft states verbatim "We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards." Exchange Online is unaffected. Operational verification per server: Get-ExchangeDiagnosticInfo -Server <server> -Process EdgeTransport -Component EmergencyMitigation returns Status: Active and rule M2.1.x applied; manual application on hosts that cannot reach the mitigation service: .\EOMT.ps1 -CVE "CVE-2026-42897" from an elevated Exchange Management Shell, or apply the documented URL Rewrite rule by hand.

“The Exchange Emergency Mitigation Service will provide mitigation automatically, and is on by default. If it is not already enabled on your Exchange Server, you need to enable Exchange Emergency Mitigation Service.” — Microsoft Exchange Team Blog

“We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards.” — Microsoft Exchange Team Blog

Action items

  • Verify Exchange Emergency Mitigation Service health on every on-premises Mailbox role. Run Get-ExchangeDiagnosticInfo -Server <server> -Process EdgeTransport -Component EmergencyMitigation against each Exchange 2016 / 2019 / SE host; confirm Status: Active and rule M2.1.x is applied. On segmented hosts that block outbound HTTPS to officemitigations.microsoft.com, manually apply via .\EOMT.ps1 -CVE "CVE-2026-42897" from an elevated Exchange Management Shell. No permanent patch yet; CISA KEV-listed and actively exploited.
vulnerabilities actively-exploited cisa-kev no-patch global CVE-2026-42897