PT-2026-40978 · Microsoft · Exchange Server

Published

2026-05-14

·

Updated

2026-07-07

·

CVE-2026-42897

CVSS v2.0

9.4

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2016 Microsoft Exchange Server 2019 Microsoft Exchange Server Subscription Edition
Description An improper neutralization of input during web page generation leads to a cross-site scripting (XSS) flaw in Outlook Web Access (OWA). A remote attacker can exploit this by sending a specially crafted email; if a user opens the message in OWA and certain interaction conditions are met, arbitrary JavaScript executes within the victim's browser session. This allows the attacker to perform spoofing, hijack authenticated sessions, steal credentials, and access mailbox data. The issue has been actively exploited in the wild, targeting on-premises environments to gain a foothold in corporate identity and communications.
Recommendations For Microsoft Exchange Server Subscription Edition, apply the RTM update or the June 2026 Security Update. For Microsoft Exchange Server 2016, apply CU23 (requires enrollment in the Period 2 Extended Security Update program) or the June 2026 Security Update. For Microsoft Exchange Server 2019, apply CU14 or CU15 (requires enrollment in the Period 2 Extended Security Update program) or the June 2026 Security Update. As a temporary mitigation, enable the Exchange Emergency Mitigation Service (EEMS) to automatically apply IIS URL Rewrite protections. For air-gapped environments, run the Exchange on-premises Mitigation Tool (EOMT) using the command .EOMT.ps1 -CVE "CVE-2026-42897". Restrict external exposure of the OWA interface where possible to minimize the attack surface.

Exploit

Fix

RCE

DoS

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06919
CVE-2026-42897

Affected Products

Exchange Server