[CDP-development] TLP:GREEN (Zero-Day Notification) Urgent Mitigations Required for Exchange Server Zero-Day (CVE-2026-42897)

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Fri May 15 09:29:29 PDT 2026 

Good morning,

The SOC Services team is reporting on the vulnerability CVE-2026-42897 Urgent Mitigations Required for Exchange Server Zero-Day vulnerability affecting On-Premises Enterprise Microsoft Exchange Email Infrastructure. Because of active in-the-wild exploitation has been confirmed and no official security update is available yet; we are providing this in-depth information.

History: On May 14, 2026, Microsoft disclosed CVE-2026-42897, a zero-day cross-site scripting (XSS) and spoofing vulnerability in on-premises Microsoft Exchange Server. The CVSS v3.x base score is 8.1 (HIGH) as assigned Microsoft.

Affected Versions

  *   Microsoft Exchange Server 2016 (Any Cumulative Update level)
  *   Microsoft Exchange Server 2019 (Any Cumulative Update level)
  *   Microsoft Exchange Server Subscription Edition (SE) (Any Update level)

Fixed Versions

  *   Not permanently fixed. Future security updates will target Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14 / CU15

Microsoft Exchange Server is a physical or virtual on-premises server solution providing enterprise-grade email, calendar, contact management, and collaboration services. The affected component is Outlook on the web (OWA), the web-browser based portal used by remote or desktop users to access mailboxes directly via HTTPS.

More information regarding this vulnerability can be found here:

  *   Addressing Exchange Server May 2026 vulnerability CVE-2026-42897<https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498>
  *   https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Intelligence: Threat actors are utilizing specially crafted emails to execute arbitrary JavaScript within the browser sessions of authenticated Outlook on the web (OWA) users, creating an immediate risk of session hijacking, unauthorized data access, and corporate email environment compromise. On May 15, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network
Complexity: Low
User Interaction: Required
Remotely Exploitable: Yes
Proof of Concept: Not publicly disclosed
Zero Day: Yes

Workarounds: Enable and verify the Exchange Emergency Mitigation Service (EEMS) to automatically deploy IIS URL Rewrite Rule mitigation 'M2.1.0' (or subsequent M2.1.x iterations); For air-gapped or disconnected environments, manually apply the mitigation rule using the Exchange On-premises Mitigation Tool (EOMT) script via an elevated Exchange Management Shell; Instruct administrative or high-value personnel to temporarily process mail exclusively via the Outlook Desktop Client or mobile applications, avoiding OWA interactions until the mitigation is confirmed active
How it Works: The attack leverages a Stored Cross-Site Scripting (XSS) delivery pipeline due to improper input sanitization during web page generation (CWE-79). An unauthenticated attacker crafts a malicious email containing malformed HTML, nested object elements, or specific handling attributes that evade the OWA service-side sanitization layer. When a target user authenticates to OWA and opens or previews the email, the OWA rendering module reflects the unsanitized string into the browser document object model (DOM). Because this happens dynamically inside the logged-in web context of OWA, the browser executes the payload implicitly under the security context of the user session, bypassing standard Same-Origin Policy (SOP) controls
Post-Exploit Impact:

  *   Session Hijacking and Token Theft: Arbitrary script execution allows the extraction of active session cookies and authorization tokens from browser storage, enabling attackers to maintain persistence inside the mailbox without possessing the user's password (CWE-79)
  *   Data Exfiltration and Lateral Impersonation: Automated API calls can be executed silently on behalf of the victim to download entire mailboxes, modify inbox forwarders, search sensitive directories, or distribute further internal phishing emails to move laterally within the organization (CWE-200)

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
IIS URL Rewrite Rule Logs
M2.1.0 / M2.1.x Rule matches
Inbound HTTP requests modified or dropped by the EEMS/EOMT URL Rewrite configuration on Frontend IIS servers indicate blocked exploitation attempts
Microsoft Security Team
Application Event Log / IIS Errors
MSExchangeOWACalendarAppPool Fatal Communication Error
An increase in event IDs tracking fatal communication errors within MSExchangeOWACalendarAppPool or 500/503 errors on the OWACalendar.Proxy endpoints can serve as a side-effect marker for applied mitigations or anomalous OWA exploitation telemetry
Enterprise Blue Team Field Intelligence
Tenable Plugins: As of the release of this Vulnerability Notification, Tenable has not published any plugins for this CVE.
Recommended Actions:

Date Added to KEV Catalog: N/A
Due Date for Remediation: N/A

  *   Verify immediately that your on-premises Exchange servers have an operating version dating at or later than March 2023 to ensure compatibility with emergency metadata streams
  *   Confirm the active status of the Exchange Emergency Mitigation Service (EEMS). Open an elevated Exchange Management Shell (EMS) and run the Exchange Health Checker script (https://aka.ms/ExchangeHealthChecker) to explicitly audit the HTML output for applied 'M2' status
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image004.png at 01DCE44C.1CB78970] [cid:image003.png at 01DCE44C.1CB78970]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260515/0d5b3bb2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 32625 bytes
Desc: image003.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260515/0d5b3bb2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 280765 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260515/0d5b3bb2/attachment-0003.png>

More information about the CDP-development mailing list