Exchange CVE-2026-42897: What to Verify Now

CISA’s KEV listing makes CVE-2026-42897 an immediate operational priority for organizations running on-premises Microsoft Exchange. The work is not just “apply the mitigation.” It is verify coverage, document exceptions, and be ready to prove the exposure window is closing.

CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability, to the Known Exploited Vulnerabilities catalog on May 15, 2026, with a May 29, 2026 remediation due date for federal civilian agencies. The NVD record describes the issue as improper neutralization of input during web page generation in Microsoft Exchange Server that can allow an unauthorized attacker to perform spoofing over a network, and it lists the KEV-required action as applying vendor mitigations, following applicable BOD 22-01 cloud guidance, or discontinuing use if mitigations are unavailable (NVD CVE-2026-42897).

For Cyberuptive clients and other security leaders, the practical question is not whether this belongs in the urgent lane. It does. The better question is whether every exposed Exchange environment can show, with evidence, that mitigation is applied, monitored, and ready for permanent patching once Microsoft releases the update.

What is CVE-2026-42897 in Microsoft Exchange?

CVE-2026-42897 is a Microsoft Exchange Server vulnerability affecting Outlook Web Access (OWA). Microsoft says an attacker could exploit it by sending a specially crafted email to a user; if the user opens that message in OWA and certain interaction conditions are met, arbitrary JavaScript can execute in the browser context (Microsoft Exchange Team guidance).

Microsoft lists Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition as affected at any update level, while also stating that Exchange Online is not impacted (Microsoft Exchange Team guidance).

That distinction matters. Microsoft 365 tenants using Exchange Online should still review identity and mailbox monitoring, but the emergency work is for on-premises Exchange servers, hybrid environments with on-premises roles, and disconnected or air-gapped Exchange deployments where automated mitigation may not be available.

Why does CISA KEV inclusion change the response?

KEV inclusion means CISA has enough evidence of active exploitation to place the CVE in its operational remediation catalog. The NVD KEV table for CVE-2026-42897 shows a May 15, 2026 date added, a May 29, 2026 due date, and a required action to apply mitigations per vendor instructions or discontinue use if mitigations are unavailable (NVD CVE-2026-42897).

Federal civilian agencies have formal obligations under BOD 22-01, but private-sector organizations should treat KEV as a high-confidence prioritization signal. It is especially relevant for healthcare, government contractors, financial services, and mid-market organizations that still run on-premises Exchange — mailbox access, identity context, and user trust all sit close to business-critical communications.

Who is affected by CVE-2026-42897?

Organizations should prioritize the following environments:

On-premises Exchange Server 2016: Microsoft identifies any update level as affected, with future updates expected only for CU23 customers enrolled in the applicable Period 2 Exchange Server ESU program (Microsoft Exchange Team guidance).
On-premises Exchange Server 2019: Microsoft identifies any update level as affected, with future updates expected for CU14 and CU15 customers enrolled in the applicable Period 2 Exchange Server ESU program (Microsoft Exchange Team guidance).
Exchange Server Subscription Edition: Microsoft identifies any update level as affected and says an update is planned for SE RTM (Microsoft Exchange Team guidance).
Hybrid Exchange estates: Even if primary mailboxes are in Exchange Online, any remaining on-premises Exchange roles should be inventoried and validated.
Disconnected or air-gapped environments: These may need scripted mitigation instead of relying on the Exchange Emergency Mitigation Service.

Exchange Online is not impacted by CVE-2026-42897 according to Microsoft, but organizations should avoid translating that into “no action.” Hybrid dependencies, legacy servers, forgotten management interfaces, and stale inventory entries are where risk usually persists.

What should organizations verify in the next 24 hours?

The fastest useful response is a short verification sprint.

1) Confirm whether Exchange is present and exposed

Start with asset inventory, external attack surface management, DNS, firewall rules, load balancers, and certificate inventories. Look for OWA endpoints, hybrid Exchange roles, older Exchange servers retained for management, and systems that may not be visible in vulnerability scans because they sit behind reverse proxies.

2) Verify mitigation status, not just service status

Microsoft’s recommended path is the Exchange Emergency Mitigation Service (EEMS), which can apply mitigation automatically when enabled. Microsoft says the mitigation is available for Exchange Server 2016, 2019, and Subscription Edition, and notes that servers must be on the March 2023 or newer Exchange Server version to check for new mitigations (Microsoft Exchange Team guidance).

Security teams should capture proof that mitigation is applied. Microsoft recommends reviewing applied mitigations and running the Exchange Health Checker script to review EEMS results (Microsoft Exchange Team guidance).

3) Use EOMT where automated mitigation is unavailable

For disconnected or air-gapped environments, Microsoft points administrators to the Exchange on-premises Mitigation Tool (EOMT). Microsoft’s guidance includes running .\EOMT.ps1 -CVE "CVE-2026-42897" for a single server, or using Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897" across applicable servers (Microsoft Exchange Team guidance).

Treat those commands as operational guidance to be executed by the Exchange administrator in a controlled change window. The security team should retain the evidence record, not simply assume the mitigation ran.

What evidence should security and compliance teams keep?

This is the part many teams skip under pressure. For a KEV item, the evidence package matters almost as much as the technical action because it proves the exposure window is being managed.

Recommended artifacts:

Asset scope: List of Exchange servers, versions, cumulative update levels, roles, exposure status, and business owners.
Mitigation record: EEMS status or EOMT execution evidence, including timestamps and per-server results.
Exception record: Any server not mitigated, with compensating controls, owner, and target date.
Monitoring record: OWA logs, authentication logs, proxy logs, EDR telemetry, and SIEM detections reviewed for suspicious activity.
Patch-readiness record: Current CU/ESU eligibility, rollback plan, maintenance window, and owner for applying Microsoft’s permanent update once released.

The goal is a short, auditable story: what was in scope, what was mitigated, what could not be mitigated, what was monitored, and what comes next.

What should organizations do before Microsoft releases the permanent update?

Microsoft says it is working on a permanent security update for impacted Exchange versions, with planned update paths for Exchange Server SE RTM, Exchange Server 2019 CU14/CU15 under the applicable ESU program, and Exchange Server 2016 CU23 under the applicable ESU program (Microsoft Exchange Team guidance).

That creates a governance problem: mitigation buys time, but it does not remove the need for patch readiness.

Security and IT leaders should use the gap before the permanent update to:

Normalize supported baselines: Move unsupported or older CU systems toward update-eligible versions.
Pre-approve emergency windows: Avoid waiting for a full change board cycle after the permanent update drops.
Test rollback plans: Validate backups, snapshots, and mail-flow health checks before patch day.
Review OWA exposure: Limit unnecessary external access and validate reverse proxy, WAF, conditional access, and segmentation controls.
Prepare communications: Tell help desk and business stakeholders what OWA behavior may change under mitigation.

Microsoft also documents several known issues related to the mitigation, including possible OWA Print Calendar impact, inline image display issues, OWA Light issues, OWACalendar.Proxy healthset alerts, and a cosmetic “Mitigation invalid for this exchange version” message when status still shows Applied (Microsoft Exchange Team guidance).

Detection and monitoring priorities

Microsoft has not published attacker infrastructure or a complete exploitation playbook in the official guidance, so defenders should avoid inventing indicators. Focus instead on behavior and logs that align with the affected surface:

OWA access logs: Review unusual access patterns, suspicious user-agent shifts, abnormal request paths, and spikes around mailbox access.
Authentication telemetry: Look for impossible travel, new device fingerprints, unexpected MFA prompts, or sign-ins inconsistent with the user’s normal pattern.
Mailbox audit logs: Review suspicious inbox rule creation, unusual message access, forwarding changes, or delegated access changes.
Proxy and WAF telemetry: Review requests containing unusual script-like parameters or abnormal OWA interaction patterns.
EDR and endpoint logs: Watch for browser behavior that suggests script execution leading to credential theft, session misuse, or follow-on tooling.

Keep the hunt defensive and evidence-based. If no suspicious activity is found, record the scope and timeframe reviewed so the organization can show reasonable diligence.

Frequently asked questions about CVE-2026-42897

What is CVE-2026-42897?

CVE-2026-42897 is a Microsoft Exchange Server cross-site scripting vulnerability that can allow spoofing over a network, according to NVD. It affects Outlook Web Access on Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (NVD CVE-2026-42897).

Is Exchange Online affected by CVE-2026-42897?

No. Microsoft states that Exchange Online is not impacted by CVE-2026-42897. The vulnerability affects on-premises Exchange Server 2016, 2019, and Subscription Edition (Microsoft Exchange Team guidance).

Which Exchange versions are affected?

Microsoft lists Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition as affected at any update level (Microsoft Exchange Team guidance).

What is the CISA KEV due date for CVE-2026-42897?

The NVD KEV table lists CVE-2026-42897 as added to KEV on May 15, 2026, with a May 29, 2026 due date for required action under BOD 22-01 (NVD CVE-2026-42897).

Is there a permanent patch for CVE-2026-42897?

Microsoft says it is working on a permanent security update, while providing mitigation through the Exchange Emergency Mitigation Service (EEMS) and the Exchange on-premises Mitigation Tool (EOMT) in the meantime (Microsoft Exchange Team guidance).

What should organizations do first?

Identify on-premises Exchange servers, verify whether EEMS or EOMT mitigation is applied, capture evidence with timestamps and per-server results, review OWA and authentication telemetry for suspicious activity, and prepare supported systems for the permanent update when Microsoft releases it.

References

Cyberuptive runs a 24/7 follow-the-sun SOC staffed by U.S.-based analysts, headquartered in Honolulu and serving customers across Asia-Pacific and the U.S. mainland. We help mid-market organizations, MSPs, and Pacific defense subcontractors triage KEV items, verify mitigation evidence, and produce the patch governance record regulators and auditors expect.

Read our vulnerability scanning services, our patch management services overview, and our SOC-as-a-Service overview, or talk to us about a no-obligation Exchange KEV response review.