Zero‑Day XSS Vulnerability (CVE‑2026‑42897) in Microsoft Exchange Server Exploited in the Wild
What Happened – Microsoft disclosed a high‑severity, actively‑exploited zero‑day (CVE‑2026‑42897) in Exchange Server 2016, 2019 and Subscription Edition. The flaw allows an attacker to execute arbitrary JavaScript in a victim’s browser via a crafted email opened in Outlook on the Web (OWA).
Why It Matters for TPRM –
- The vulnerability targets on‑premises Exchange infrastructure, a common third‑party service for many enterprises.
- Exploitation can lead to credential theft, data exfiltration, or lateral movement inside the client’s network.
- No permanent patch exists yet; reliance on mitigations (EEMS/EOMT) introduces operational trade‑offs.
Who Is Affected – Organizations across all sectors that run Microsoft Exchange Server 2016, 2019, or Subscription Edition on‑premises, especially those exposing OWA to the internet.
Recommended Actions –
- Enable the Exchange Emergency Mitigation Service (EEMS) immediately on all affected servers.
- Deploy the latest Exchange On‑Premises Mitigation Tool (EOMT) for air‑gapped environments.
- Review third‑party risk contracts for Exchange hosting and verify that vendors have applied the mitigations.
- Monitor for anomalous OWA activity and enforce strict email‑attachment policies.
Technical Notes – The flaw is a cross‑site scripting (XSS) issue triggered by a specially crafted email. Exploitation results in arbitrary code execution in the browser context of OWA users. Microsoft’s temporary mitigations (EEMS/EOMT) may impact OWA features such as calendar printing and inline image rendering. Source: BleepingComputer