Microsoft has identified and confirmed active exploitation of CVE-2026-42897, a critical zero‑day cross‑site scripting (XSS) and spoofing vulnerability affecting on‑premises Microsoft Exchange Server deployments through Outlook Web Access (OWA).

Affected systems

• Exchange Server 2016 (all update levels)

• Exchange Server 2019 (all update levels)

• Exchange Server Subscription Edition (SE) (all update levels)

Security Risks

Successful exploitation may allow a remote attacker to execute arbitrary JavaScript code within a victim’s browser session after opening a specially crafted email in Outlook Web Access (OWA), potentially leading to spoofing, credential theft, session hijacking, and unauthorized access.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

• Enable Microsoft Exchange Emergency Mitigation Service (EEMS) on affected servers immediately

• Restrict external access to Outlook Web Access (OWA) to reduce exposure

• Ensure a recent and verified backup is available before applying updates or mitigation measures

• Apply Microsoft’s official security update as soon as it becomes available.

For additional details on mitigation, refer to Microsoft’s official guidance.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• Addressing Exchange Server May 2026 vulnerability CVE-2026-42897

• Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

• On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email