CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA

Microsoft Exchange Server provides the Outlook on the web (OWA) component, functioning as a web-based email client for enterprise environments. OWA processes various HTTP requests, parsing URL parameters and query strings to render dynamic HTML content for authenticated users. This web interface represents a significant external attack surface, as it is frequently exposed directly to the internet to support remote workforce connectivity.

CVE-2026-42897 identifies a high-severity vulnerability within this OWA component, specifically categorized as CWE-79: Improper Neutralization of Input During Web Page Generation. The vulnerability manifests as a reflected Cross-Site Scripting (XSS) condition. Input parameters supplied via HTTP requests are not correctly validated or HTML-encoded before being returned in the server's HTTP response.

Threat actors are actively exploiting this vulnerability in the wild as a zero-day. Successful exploitation requires an attacker to convince an authenticated OWA user to click a specially crafted URL. Due to the lack of input sanitization, the OWA server reflects the attacker's payload, resulting in arbitrary JavaScript execution within the security context of the victim's session.

The root cause of CVE-2026-42897 lies in the server-side rendering logic of the Exchange OWA component. When a client initiates an HTTP GET request containing specific URL paths or query string parameters, the OWA application processes these values to generate the user interface. The vulnerability occurs because the application fails to apply context-aware output encoding before embedding these user-controlled values into the HTML Document Object Model (DOM).

In a secure implementation, characters with special syntactical meaning in HTML, such as angle brackets and quotation marks, must be converted to their corresponding HTML entities. The vulnerable OWA endpoint echoes the raw input directly back to the client. When the victim's browser parses the server response, it interprets the unsanitized input as executable code rather than plain text.

GET /owa/auth/logon.aspx?replaceCurrent=1&url=<script>alert(document.cookie)</script> HTTP/1.1
Host: mail.example.com

The resulting response contains the injected <script> tags without proper neutralization. Because the script originates from the legitimate OWA domain, it bypasses the Same-Origin Policy (SOP). The browser executes the payload under the assumption that the application intentionally served it, granting the script access to the DOM, session cookies, and local storage associated with the Exchange environment.

Exploitation of CVE-2026-42897 requires the attacker to construct a malicious URL targeting a vulnerable OWA instance. The URL incorporates a JavaScript payload within the specific unsanitized parameters. Since the vulnerability is a reflected XSS, the attacker cannot store the payload on the server. Instead, they must deliver the crafted link to the target user via external channels, such as spear-phishing emails, SMS, or embedding it within a malicious website.

When the victim clicks the link, their browser issues a request to the Exchange server, appending any active session cookies to the request. The Exchange server processes the request and returns the HTML response containing the reflected JavaScript. The victim's browser executes the script immediately upon rendering the page.

The execution occurs within the context of the victim's active authentication session. The primary objective of the attacker's payload is typically session hijacking. The script extracts session tokens or authentication cookies and transmits them asynchronously to an attacker-controlled infrastructure. The attacker then uses these captured credentials to authenticate to the Exchange server, spoofing the victim's identity without requiring the underlying plaintext password.

The successful exploitation of CVE-2026-42897 results in unauthorized access to the victim's Exchange Web Services session. By capturing the session token, the attacker assumes the identity of the authenticated user. This allows the attacker to interact with the OWA interface directly, bypassing primary authentication mechanisms such as Multi-Factor Authentication (MFA), provided the session token remains valid.

Once the session is hijacked, the attacker gains access to the victim's mailbox. The attacker can read sensitive correspondence, exfiltrate file attachments, and send emails on behalf of the compromised user. This capability facilitates lateral movement within the organization, as the attacker can leverage the trusted internal account to launch further phishing campaigns or distribute malware to internal employees.

The Common Vulnerability Scoring System (CVSS) vector reflects the severity of this impact. The vulnerability carries a High base score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The confidentiality and integrity metrics are both rated as High because the attacker gains full read and write access to the targeted mailbox. The availability metric remains None, as the vulnerability does not inherently crash the Exchange service or deny access to legitimate users.

Microsoft addressed CVE-2026-42897 through the release of out-of-band Security Updates (SUs) and Cumulative Updates (CUs) on May 14, 2026. Administrators must apply these updates to vulnerable Exchange Server 2016, 2019, and Subscription Edition environments. The patch introduces comprehensive input validation and output encoding routines to ensure that OWA parameters are properly sanitized before rendering.

In addition to the software patch, Microsoft deployed an emergency mitigation via the Exchange Emergency Mitigation Service (EEMS). The mitigation, identified as M2 (or M2.1), functions as an IIS URL Rewrite Rule. This rule actively inspects incoming HTTP requests directed at the OWA component and blocks patterns that match known exploitation vectors.

Get-ExchangeServer -Identity <ServerName> | Format-List Name,MitigationsApplied

Administrators can verify the successful deployment of the EEMS mitigation by querying the Exchange Server configuration using PowerShell. Organizations should also review Internet Information Services (IIS) logs for historical evidence of exploitation. Security teams should search for anomalous query strings or URL paths containing encoded script tags or unusual JavaScript methods accessing the OWA endpoints. Identification of such patterns indicates a potential compromise, requiring immediate password resets and session revocation for affected accounts.