Security Intelligence
Loading table of contents...
At a glance: Active exploitation of a high-severity vulnerability in on-premises Microsoft Exchange Server exposes organizations using Outlook Web Access to session-level compromise through a crafted email. There is no patch currently available, and organizations rely on Microsoft’s mitigations and validation of coverage across affected systems. Organizations relying on webmail access need to act now to confirm mitigation is in place and reduce exposure while a permanent fix is developed.
Threat summary
On May 14, Microsoft reported on active exploitation of an unpatched flaw affecting on-premises Microsoft Exchange Server. It resides in Outlook Web Access (OWA), the browser-based interface for accessing email.
All supported on-premises versions are impacted, including Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition, across all update levels. Exchange Online is not affected.
Microsoft released immediate mitigation through the Exchange Emergency Mitigation Service while a permanent security update is in development. As of May 15, a permanent patch is in development and not broadly available for all deployments. Patch delivery depends on supported versions and lifecycle status, including Extended Security Update eligibility for Exchange Server 2016 and 2019. Environments running older builds or outside current support eligibility may have limited access to future updates.
Tracked as CVE-2026-42897, this is a cross‑site scripting (XSS) vulnerability caused by improper handling of content when Exchange renders email in its web interface.
A threat actor can exploit the issue by sending a crafted email, meaning a message that contains hidden code embedded in the email content. For the exploit to work, the email needs to be opened in Outlook Web Access (OWA), the browser-based version of Outlook. When the message is displayed and the content is processed by the browser, that hidden code can be executed as part of rendering the email.
It allows the threat actor to execute code in the user’s session, enabling credential theft, session hijacking, content manipulation, and internal phishing. The worst-case scenario includes compromise of user accounts and follow-on activity within the Exchange environment through trusted access paths rather than direct infrastructure takeover.
The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.1 and is classified as high severity.
Analysis
Exploitation of this flaw is low complexity, does not require authentication, but relies on user action. For impact to occur, the user opens the message in OWA, allowing the browser to render the content. This rendering process triggers execution within the user’s active browser session, not on the Exchange server. The attack pathway aligns with phishing delivery and does not support fully automated exploitation.
Organizations running on-premises Microsoft Exchange Server with OWA exposed are therefore confirmed to be affected. For these environments, the EEMS service is enabled by default on supported Exchange versions. Systems running versions older than March 2023 may not receive new mitigations through this service. The mitigation is applied at the Exchange server layer through a URL rewrite rule that blocks the vulnerable rendering path before content is processed by the browser, preventing code execution from being triggered. Note, the mitigation may affect certain OWA features, including calendar printing and inline image rendering, as it blocks the vulnerable content processing path. These impacts are limited and operational in nature and are outweighed by the need to prevent active exploitation.
For organizations operating affected on-premises Exchange Server deployments, each Exchange server needs to be checked to confirm that the mitigation has been received and applied. If the EEMS is disabled or unavailable, Microsoft provides the Exchange On‑Premises Mitigation Tool to manually deploy the same protection. This distinction is operationally important, as protection depends on both service availability and server currency. Environments that cannot consume automatic mitigations, including disconnected or older systems, require manual action to achieve the same level of protection.
Additional action includes restricting or disabling OWA where it is not required, and limiting access to trusted networks or managed devices to reduce exposure during active exploitation.
Microsoft’s guidance is clear that the confirmed exposure today is limited to webmail access, where the browser processes and executes content from the message. That said, if a client uses a browser engine or an embedded web view to display messages, the question becomes whether it could introduce a similar execution path. There is no evidence that this is happening in practice, and Microsoft has not identified any clients beyond OWA as affected at this time.
For environments outside OWA, it is worth validating whether any clients in use rely on browser-based rendering, particularly in newer or hybrid configurations.
As a precaution, it would be prudent to treat browser-based email access as a managed risk until a permanent patch is available. That includes confirming the Exchange mitigation is active everywhere, understanding where users rely on web access to email, and keeping those access paths limited to controlled environments.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
