Critical XSS in Microsoft Exchange Server (CVE‑2026‑42897) Enables Email Spoofing
What It Is — A critical cross‑site scripting (XSS) flaw (CVE‑2026‑42897) affects on‑premises Microsoft Exchange Server 2016, 2019 and Subscription Edition RTM. The vulnerability allows an attacker to inject arbitrary JavaScript into Outlook Web Access (OWA) when a specially crafted email is opened, leading to credential theft, session hijacking, or further malware delivery.
Exploitability — Microsoft has confirmed that the vulnerability is being actively exploited in the wild. No public proof‑of‑concept code has been released, but attackers are already leveraging crafted phishing emails. A permanent fix is pending; temporary mitigations are available. CVSS v3.1 is expected to be ≥9.0 (Critical).
Affected Products — Microsoft Exchange Server 2016 (CU23), Exchange Server 2019 (CU14, CU15), and Exchange Server Subscription Edition RTM. Exchange Online is not impacted.
TPRM Impact —
- Third‑party vendors that host on‑premises Exchange for clients become a conduit for credential‑stealing attacks against downstream organizations.
- Compromise of OWA sessions can expose sensitive corporate communications, intellectual property, and personal data, creating downstream supply‑chain risk.
Recommended Actions —
- Verify enrollment in the Period 2 Exchange Server ESU program and apply any available cumulative updates (CU23 for 2016, CU14/CU15 for 2019).
- Enable the Exchange Emergency Mitigation Service (enabled by default) and run the Exchange On‑Premises Mitigation Tool (EOMT) script immediately.
- Enforce multi‑factor authentication (MFA) for all OWA users and restrict OWA access to trusted IP ranges where feasible.
- Conduct a rapid phishing‑simulation exercise to gauge user susceptibility to crafted emails.
- Review third‑party contracts for Exchange hosting services and require proof of mitigation implementation.
Source: Help Net Security