On May 14, 2026, Microsoft disclosed CVE-2026-42897, a spoofing vulnerability in on-premises Exchange Server affecting Outlook Web Access. Within 24 hours, CISA added it to the Known Exploited Vulnerabilities catalog. Within 15 days, the federal remediation deadline passed. As of today, there is still no permanent patch.
The attack vector is an email.
What CVE-2026-42897 Does
The vulnerability is a cross-site scripting flaw in Exchange Server’s OWA component. Its CVSS score is 8.1, placing it in the high-severity tier. The attack chain is direct: an attacker sends a specially crafted email to a target who uses Outlook Web Access to read their mail. When the target opens that email in OWA, the malicious content triggers an XSS payload that executes arbitrary JavaScript in the victim’s browser context.
From that position, an attacker can perform spoofing actions against the user within the OWA interface – modifying displayed content, capturing credentials, redirecting the user, or creating persistent browser-based access without ever touching the mail server itself.
Exchange Online is not affected. The vulnerability exists only in on-premises deployments: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE).
Active Exploitation Confirmed
Microsoft’s disclosure on May 14 came with an unusual admission: the vulnerability was already being exploited in the wild before the advisory was published. CISA responded the following day, adding CVE-2026-42897 to its Known Exploited Vulnerabilities catalog and setting a May 29 deadline for Federal Civilian Executive Branch agencies to apply mitigations.
That deadline has now passed. Federal agencies that met it applied Microsoft’s emergency EEMS (Exchange Emergency Mitigation Service) rule, which Microsoft automatically pushed to Exchange servers with the EM Service enabled. For organizations that had disabled EEMS, or whose servers cannot reach Microsoft’s mitigation infrastructure due to air-gapping, or that are running versions older than the minimum required for automatic mitigation, the server remains unpatched.
The Population at Risk
In 2023, on-premises Exchange deployments represented approximately 16% of worldwide Exchange mailboxes. That figure has continued to decline, but it still represents tens of thousands of organizations – primarily enterprises with regulatory data residency requirements, government agencies that cannot put mail in the cloud, and businesses that have not yet completed Microsoft 365 migrations.
These are not typically small organizations with minimal security teams. Many are exactly the kind of high-value targets that advanced threat actors pursue: government entities, legal firms, healthcare systems, financial institutions, and critical infrastructure operators. A spoofing vulnerability that lands in the OWA of a senior official or a finance team member reading email is not a low-stakes exposure.
How the Email Layer Intersects With This Vulnerability
CVE-2026-42897 requires the attacker to deliver a crafted email to the target. That email has to pass through whatever filters and authentication checks stand between the internet and the victim’s inbox.
This is where DMARC enforcement on the receiving side matters more than the headline summary suggests.
Attackers exploiting this vulnerability need a delivery mechanism. In practice, that means spoofed emails impersonating a trusted sender – an IT administrator, an executive, an external partner – are the most effective lures. A spoofed “IT Security Update” email from [email protected] that instructs staff to click a link and review a policy document in OWA is a plausible social engineering scenario. If the attacker spoofs a domain with a p=reject DMARC policy, that message never reaches the inbox.
DMARC does not fix the OWA vulnerability. It does not prevent an attacker from sending a crafted email from a domain they control. But it eliminates the highest-trust impersonation vector – the one where the attacker appears to come from inside your organization or from a known-trusted domain – before the email reaches the vulnerable infrastructure.
The organizations most at risk of a high-impact CVE-2026-42897 exploitation scenario are those running on-premises Exchange without the EEMS mitigation applied and without p=reject on their domain. The absence of DMARC enforcement means an attacker can deliver highly convincing impersonation emails to users who then open them in OWA.
The Patch Gap and What It Reveals
The absence of a permanent patch as of the date of this writing is not an anomaly. Exchange Server vulnerabilities have a pattern of extended remediation timelines. The EEMS automatic mitigation covers the most common exploitation paths, but EEMS is not a patch. It is a server-side rule that Microsoft can push and pull remotely, and it does not replace the permanent code fix that must come through a Cumulative Update.
For organizations that have air-gapped Exchange deployments, the manual mitigation path using the Exchange On-premises Mitigation Tool (EOMT) is the available option. Microsoft has documented the procedure through Exchange Management Shell for environments that cannot connect to the mitigation service.
The broader lesson is the same one that emerged from previous Exchange Server zero-days. On-premises mail infrastructure carries an ongoing patching obligation that cloud deployments do not. Each new CVE targeting Exchange Server resets the clock. Each reset demonstrates that the operational cost of running on-premises email is not only the infrastructure investment but also the security maintenance burden that comes with it.
The Cloud Migration Signal
Exchange Online’s immunity to CVE-2026-42897 is not a coincidence. Microsoft’s cloud infrastructure receives security updates continuously without exposing the underlying server to exploitation. An organization running Exchange Online and Microsoft 365 was not affected by this vulnerability at all.
The vulnerability is a data point in a longer argument that CISO and IT leadership teams have been working through for several years. Cloud email is not always the right choice – data residency requirements, air-gap mandates, and specific compliance frameworks legitimately require on-premises infrastructure in some sectors. But for organizations still running on-premises Exchange without a specific regulatory reason, CVE-2026-42897 is the latest in a series of incidents that raises the question of whether the security cost of on-premises is being weighed accurately against the migration cost.
What Defenders Should Do Now
For on-premises Exchange Server organizations:
- Verify that EEMS is enabled and that the automatic mitigation for CVE-2026-42897 has been applied
- If EEMS is not available, apply the manual mitigation through EOMT or Exchange Management Shell immediately
- Monitor for the Cumulative Update that will contain the permanent fix; apply it when available
- Review OWA access logs for signs of anomalous activity in the May-June window
- Consider restricting OWA access to VPN-only connections as a compensating control while the mitigation period is active
For all organizations:
- Verify that your primary sending domain has a DMARC policy at
p=reject, notp=none - Ensure that all third-party services sending on your domain are properly authenticated with DKIM and covered by SPF
- Running DMARC at
p=rejecton your domain removes the ability of attackers to use your trusted identity as a delivery mechanism for crafted emails – whether the target is running Exchange OWA or any other mail client
The attack vector for CVE-2026-42897 is an email. Reducing what attackers can use that email to impersonate is within your control regardless of whether you run Exchange, Microsoft 365, or any other mail infrastructure.
Excello Mail helps you reach and maintain p=reject on your sending domain, closing the impersonation vector that makes targeted email attacks more effective. Sign up for free to Excello Mail and see the full picture of your email authentication posture.