WARNING: Cross-Site Scripting in Microsoft Exchange Server Can Be Exploited to Perform Spoofing and Session Hijacking. Actively Exploited in the Wild, Apply Mitigations Immediately!

• Last update: 18/05/2026
• Affected software: Microsoft Exchange Server 2016, 2019, and Subscription Edition
• Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CVE/CVSS
  → CVE-2026-42897: CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

Sources

Microsoft - https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
Microsoft - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897

Risks

Microsoft Exchange Server is an email and collaboration platform widely used by enterprises for messaging, calendaring, and communication.

If exploited, this vulnerability could allow an unauthenticated attacker to execute arbitrary JavaScript in the context of a victim's authenticated browser session when the victim opens a specially crafted email in Outlook Web Access (OWA). Successful exploitation may lead to unauthorized access to the victim's mailbox and session data (Confidentiality) or unauthorized modification of email content or mailbox settings (Integrity). The vulnerability does not directly impact service availability (Availability).

This vulnerability is actively exploited in the wild. Applying Microsoft's recommended mitigations as quickly as possible is highly recommended: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498

Description

CVE-2026-42897 is a reflected cross-site scripting (XSS) vulnerability in the Outlook Web Access (OWA) component of Microsoft Exchange Server. The root cause is improper neutralization of user-supplied input during web page generation (CWE-79). An unauthenticated attacker can exploit this vulnerability by sending a specially crafted email to a target user. When the recipient opens the email in OWA, attacker-controlled JavaScript is executed within the victim's authenticated browser session. This can result in session token capture, identity spoofing, and unauthorized access to the victim's mailbox.

At the moment of writing (2026-05-18), no security update is currently available. Microsoft has deployed an emergency mitigation (M2) via the Exchange Emergency Mitigation Service (EEMS). On systems with EEMS enabled, this mitigation is applied automatically. Administrators are advised to verify that mitigation M2 is active on all affected systems. For systems without EEMS enabled, manual application of the mitigation using the Exchange On-premises Mitigation Tool is recommended.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends applying Microsoft's mitigations for CVE-2026-42897 without delay. Detailed mitigation instructions are available in: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-42897