PT-2026-40978 · Microsoft · Exchange Server
Published
2026-05-14
·
Updated
2026-07-07
·
CVE-2026-42897
CVSS v2.0
9.4
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
Microsoft Exchange Server Subscription Edition
Description
An improper neutralization of input during web page generation leads to a cross-site scripting (XSS) flaw in Outlook Web Access (OWA). A remote attacker can exploit this by sending a specially crafted email; if a user opens the message in OWA and certain interaction conditions are met, arbitrary JavaScript executes within the victim's browser session. This allows the attacker to perform spoofing, hijack authenticated sessions, steal credentials, and access mailbox data. The issue has been actively exploited in the wild, targeting on-premises environments to gain a foothold in corporate identity and communications.
Recommendations
For Microsoft Exchange Server Subscription Edition, apply the RTM update or the June 2026 Security Update.
For Microsoft Exchange Server 2016, apply CU23 (requires enrollment in the Period 2 Extended Security Update program) or the June 2026 Security Update.
For Microsoft Exchange Server 2019, apply CU14 or CU15 (requires enrollment in the Period 2 Extended Security Update program) or the June 2026 Security Update.
As a temporary mitigation, enable the Exchange Emergency Mitigation Service (EEMS) to automatically apply IIS URL Rewrite protections.
For air-gapped environments, run the Exchange on-premises Mitigation Tool (EOMT) using the command
.EOMT.ps1 -CVE "CVE-2026-42897".
Restrict external exposure of the OWA interface where possible to minimize the attack surface.Exploit
Fix
RCE
DoS
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Exchange Server