CVE-2026-42897 is a spoofing and cross-site scripting vulnerability in on-premises Microsoft Exchange Server, carrying a CVSS score of 8.1. An attacker sends a crafted email to a target; when that email is opened in Outlook Web Access, arbitrary JavaScript executes in the victim's browser — with no interaction required beyond opening the message. BleepingComputer reports that Microsoft has confirmed active exploitation in the wild as of May 2026, and a patch landed on May 2026 Patch Tuesday.
JavaScript execution in the OWA browser context isn't just a technical curiosity. It means an attacker has code running inside the same authenticated session your user is already logged into. From there, the attacker can impersonate legitimate senders and craft messages that appear to originate from trusted internal domains — your own organisation's addresses, your CFO, your IT helpdesk. The spoofing capability is the part that should make you genuinely uncomfortable.
What makes this particularly dangerous is that it bypasses SPF, DKIM, and DMARC entirely. Those email authentication controls are your primary defence against sender forgery, and this vulnerability sidesteps all three. That opens the door to CEO fraud and vendor impersonation schemes that your email security gateway won't catch, because as far as the authentication headers are concerned, the message looks legitimate. Phishing campaigns built on this flaw are effectively undetectable by standard filtering. Think about the attack surface that creates across a large organisation where hundreds of staff use OWA daily.
Exchange Online is not affected. If your organisation completed its migration to Microsoft's hosted platform, you're not exposed here. But if you're still running on-prem Exchange — and plenty of enterprises, banks, and government bodies are, whether by choice or because migration is still in progress — you're sitting on an actively exploited vulnerability with a low attack complexity rating. No sophisticated tooling required. Network access and a crafted email is all it takes. The bar for exploitation is low, and the downstream impact of a successful CEO fraud or supply chain phishing campaign is anything but.
The vulnerability affects Exchange Server 2016 across all supported versions, Exchange Server 2019 on CU14 and CU15, and Exchange Server Subscription Edition (SE) RTM. If you're running any of these, you need to act now.
Exchange Server 2013 is a separate and more serious problem. Microsoft won't be releasing a patch for it — it's out of support. If you have Exchange 2013 in your environment, you have no vendor-supplied fix coming. You need to treat that as a critical exposure and escalate it immediately. Running an unpatched, out-of-support mail server against an actively exploited vulnerability class is not a sustainable position. Reviewing indicators of compromise on those systems should be an immediate priority while you plan your next step.
Exchange Online is not affected. Microsoft's hosted service does not carry this vulnerability, and no action is required from organisations running Exchange Online only.
Apply the May 2026 security update immediately. The patch is available via WSUS, the Microsoft Update Catalog, and directly through the Exchange admin centre. This is the only definitive fix for CVE-2026-42897 on affected versions. Don't wait for your next maintenance window — Microsoft has confirmed active exploitation, which means your exposure window is open right now.
Run the Exchange Health Checker script before and after patching. Microsoft's Exchange Health Checker script will verify your update readiness and flag configuration issues that might affect patch deployment. It's a fast way to confirm you haven't missed anything and that the update applied cleanly. Download it from the official Microsoft GitHub repository and run it against each Exchange server in scope.
Harden Receive connector permissions as a temporary measure. If you can't patch immediately, tightening Receive connector permissions reduces the available attack path. Be clear-eyed about what this is: a short-term workaround, not a fix. It buys time. The patch replaces it.
Enable extended protection and SMTP authentication logging. Extended protection strengthens the authentication channel between Exchange and clients. Enabling SMTP authentication logging gives you visibility into connection behaviour that you can use to detect anomalous activity. Neither of these substitutes for patching, but both improve your defensive posture and your ability to spot suspicious activity in the interim.
Isolate Exchange servers from direct internet access where feasible, and evaluate migration to Exchange Online. Restricting direct internet exposure limits how easily an external attacker can deliver the crafted email payload that triggers the vulnerability. Longer term, if you're still running on-prem Exchange, this incident is a concrete reason to accelerate your migration planning. Exchange Online isn't affected by CVE-2026-42897 and removes this entire category of on-prem Exchange risk from your environment.
No. The attack requires network access and low attack complexity — no credentials, no elevated permissions. The attacker sends a crafted email; the victim opens it in OWA. That's the full attack chain. Microsoft classifies the complexity as low, which means it doesn't require specialist knowledge or unusual conditions to pull off.
The JavaScript execution is triggered specifically when the crafted email is opened in Outlook Web Access. If none of your users access email through OWA, your direct exploitation risk is lower — but you should still apply the patch. Relying on usage patterns as a control isn't something you want to depend on for an actively exploited vulnerability.
Microsoft won't patch Exchange 2013 — it's out of support. Your options are migration to a supported on-prem version that receives the fix, migration to Exchange Online, or accepting an unpatched exposure. Given active exploitation is confirmed, staying on Exchange 2013 without a compensating plan is a risk you should escalate to senior leadership immediately.
Microsoft hasn't disclosed specific indicators of compromise tied to this vulnerability. Enable SMTP authentication logging now if it isn't already running, review OWA access logs for anomalous session behaviour, and treat any unexpected email activity involving internal sender impersonation as a potential signal worth investigating.
