Threat Notice: Microsoft Exchange Zero-Day
Overview
Microsoft has disclosed a cross-site scripting vulnerability in Exchange Server’s Outlook Web Access that is being actively exploited in the wild at the time of disclosure.
No permanent patch is available at the time of writing.
For customers who have the Exchange Emergency Mitigation Service enabled, Microsoft has deployed an automative interim mitigation.
CVE-2026-42897 | CVSS 8.1 | Outlook Web Access Cross-Site Scripting
-
An attacker can send a specially crafted email to a target; when the recipient opens the message in Outlook Web Access, arbitrary JavaScript executes in the browser context
-
Successful exploitation can allow attackers to steal authenticated session tokens, harvest credentials, pivot to broader phishing campaigns against internal users, and leverage access to Exchange as a foothold for lateral movement and persistence across connected environments.
Recommendations
-
Immediately verify the Exchange Emergency Mitigation Service (EEMS) is enabled and that mitigation M2 is applied on all on-prem Exchange servers. Use the Exchange Health Checker script to confirm: Exchange Health Checker
-
For air-gapped or disconnected environments, manually apply the mitigation using the Exchange On-Premises Mitigation Tool (EOMT) from an elevated Exchange Management Shell:
-
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
-
Make sure all on-prem Exchange servers are running a supported Cumulative Update (CU), or the final security patch cannot be installed when released.
-
Exchange Server 2016 and 2019 organizations must be enrolled in the Period 2 ESU program to receive the permanent security update. Verify enrollment now.
-
Review OWA access logs for unusual login activity, suspicious sessions, or signs of lateral movement using compromised credentials.
References
|
