Improper neutralization of input during web page generation

CVE-2026-42897 is an XSS flaw in on-prem Exchange OWA that lets an unauthenticated attacker send a crafted email which can execute attacker-controlled JavaScript when the victim opens it in Outlook on the web and the required interaction conditions are met. Microsoft says Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected at any update level; Exchange Online is not affected.

The vendor's HIGH 8.1 is directionally fair, but the operational story is narrower than that score implies. This is not pre-auth Exchange server RCE: the code runs in the victim's browser session, needs user interaction, and only matters where OWA is actually used and reachable. What keeps it firmly in the urgent lane is the KEV listing and confirmed active exploitation, plus the fact that email/session access on Exchange is high-value even without host-level code execution.

Why this verdict

• KEV overrides the usual debate: confirmed exploitation in the wild means this is not theoretical, and it targets a business-critical platform with mailbox trust built in.
• User interaction trims the score: the attacker needs a victim to open the crafted email in OWA and satisfy interaction conditions, which sharply narrows reachable population versus pre-auth server bugs.
• On-prem-only narrows population: Exchange Online is not affected, so only organizations still running on-prem Exchange with OWA in use are exposed.
• Blast radius is user-context, not SYSTEM: the attacker gets what the victim's OWA session can do, which is dangerous for executives/admins but still not equivalent to host-level Exchange RCE.
• Mitigation exists today: Microsoft can auto-apply M2.1.x via EM Service, reducing dwell time for organizations that left the feature enabled.

Why not higher?

This is not the classic Exchange nightmare scenario where an unauthenticated attacker lands code execution on the server and pivots from there. The chain needs human interaction in OWA, and the practical payload executes in the victim's browser/session rather than as SYSTEM on the Exchange host.

Why not lower?

KEV listing prevents any comfortable downgrade into backlog territory. Even without host takeover, hijacking a live OWA session on a mail server is enough for data theft, internal phishing, fraud enablement, and abuse of high-trust communications.

1. Verify M2.1.x everywhere — Confirm Microsoft's Exchange Emergency Mitigation Service applied mitigation M2.1.x on every Exchange mailbox server, or run EOMT in disconnected environments. Because this CVE is KEV-listed, deploy and verify this immediately, within hours rather than waiting for the normal HIGH timeline.
2. Kill IE and IE mode for OWA — Block Internet Explorer and Edge IE mode access to OWA because Microsoft states the mitigation does not protect those clients due to missing CSP support. Enforce this immediately, within hours anywhere legacy browser paths still exist.
3. Constrain OWA exposure — Reduce external reachability to OWA with VPN, reverse-proxy policy, IP allowlisting, or temporary geo/business-unit restrictions where operationally possible. For a KEV-listed bug on a public mail surface, put this control in place immediately, within hours for internet-facing instances.
4. Hunt for mailbox abuse — Prioritize detections for anomalous OWA sends, suspicious mailbox rule creation, impossible-travel sessions, and abnormal browser/user-agent patterns. Start the hunt immediately, within hours because successful exploitation looks like trusted user activity more than malware on disk.
5. Tier admin mail access away from OWA — Restrict or temporarily reroute privileged/admin mailbox use away from OWA where feasible, because the value of this CVE scales with who opens the message. Apply this immediately, within hours for high-value identities.

Run this on each on-prem Exchange server from an elevated Exchange Management Shell or an elevated PowerShell session on the target host. Example: powershell -ExecutionPolicy Bypass -File .\Test-CVE-2026-42897.ps1; local admin is recommended, and for this CVE the script treats **PATCHED as either Microsoft's mitigation M2.1* being applied or the matching CSP rule being present**, since no permanent fixed build was confirmed in the retrieved vendor guidance.

# Test-CVE-2026-42897.ps1

# Checks whether an on-prem Exchange server appears protected from CVE-2026-42897.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$Status,
        [int]$Code,
        [string]$Detail
    )
    Write-Output "$Status - $Detail"
    exit $Code
}

try {
    # Load Exchange snap-in if needed

    if (-not (Get-Command Get-ExchangeServer -ErrorAction SilentlyContinue)) {
        try {
            Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn -ErrorAction Stop
        } catch {
            # Continue; command might still be available in EMS only

        }
    }

    if (-not (Get-Command Get-ExchangeServer -ErrorAction SilentlyContinue)) {
        Write-Result -Status 'UNKNOWN' -Code 2 -Detail 'Get-ExchangeServer is unavailable. Run from Exchange Management Shell on the target server.'
    }

    $server = Get-ExchangeServer -Identity $env:COMPUTERNAME -ErrorAction Stop
    if (-not $server) {
        Write-Result -Status 'UNKNOWN' -Code 2 -Detail 'Local server is not returned by Get-ExchangeServer.'
    }

    # Confirm this is an Exchange version family in scope

    $editionText = ($server.AdminDisplayVersion | Out-String).Trim()
    $major = $server.AdminDisplayVersion.Major
    $minor = $server.AdminDisplayVersion.Minor

    # Exchange 2016/2019/SE all live under v15; scope determination is imperfect from PowerShell alone.

    if ($major -ne 15) {
        Write-Result -Status 'UNKNOWN' -Code 2 -Detail "Server does not look like Exchange v15-family. Found: $editionText"
    }

    $applied = @()
    $blocked = @()
    if ($server.MitigationsApplied) { $applied = @($server.MitigationsApplied) }
    if ($server.MitigationsBlocked) { $blocked = @($server.MitigationsBlocked) }

    $m21Applied = $false
    $m21Blocked = $false

    foreach ($m in $applied) {
        if ($m -match '^M2\.1') { $m21Applied = $true }
    }
    foreach ($m in $blocked) {
        if ($m -match '^M2\.1') { $m21Blocked = $true }
    }

    # Secondary check: look for the CSP mitigation artifact in common OWA/IIS config locations.

    $pathsToCheck = @(
        'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config',
        'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\web.config',
        "$env:windir\System32\inetsrv\config\applicationHost.config"
    )

    $cspFound = $false
    foreach ($p in $pathsToCheck) {
        if (Test-Path $p) {
            try {
                $content = Get-Content -Path $p -Raw -ErrorAction Stop
                if ($content -match 'Content-Security-Policy' -and $content -match "script-src-attr\s+''none''|script-src-attr\s+'none'") {
                    $cspFound = $true
                }
            } catch {
                # ignore per-file read errors and continue

            }
        }
    }

    # Service state is helpful context but not decisive

    $svc = Get-Service -Name MSExchangeMitigation -ErrorAction SilentlyContinue
    $svcState = if ($svc) { $svc.Status.ToString() } else { 'Missing' }

    if ($m21Blocked) {
        Write-Result -Status 'VULNERABLE' -Code 1 -Detail "Mitigation M2.1* is explicitly blocked on this server. EM service state: $svcState. Build: $editionText"
    }

    if ($m21Applied -or $cspFound) {
        $reason = @()
        if ($m21Applied) { $reason += 'M2.1* present in MitigationsApplied' }
        if ($cspFound) { $reason += 'CSP mitigation artifact found in config' }
        Write-Result -Status 'PATCHED' -Code 0 -Detail (("Protected for CVE-2026-42897: {0}. EM service state: {1}. Build: {2}" -f ($reason -join '; '), $svcState, $editionText))
    }

    Write-Result -Status 'VULNERABLE' -Code 1 -Detail "No evidence of M2.1* or matching CSP mitigation found. EM service state: $svcState. Build: $editionText"
}
catch {
    Write-Result -Status 'UNKNOWN' -Code 2 -Detail $_.Exception.Message
}

Sources

1. Microsoft Security Update Guide - CVE-2026-42897
2. Microsoft Exchange Team - Addressing Exchange Server May 2026 vulnerability CVE-2026-42897
3. NVD - CVE-2026-42897
4. CISA Known Exploited Vulnerabilities Catalog
5. Microsoft Learn - Exchange Emergency Mitigation Service
6. Microsoft Learn - Exchange Server build numbers and release dates
7. FIRST - EPSS
8. Censys advisory on exposed on-prem Exchange population (related Exchange exposure baseline)