Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 17, 2026 · 7 min read

Microsoft Confirmed a Zero Day That Fires JavaScript When You Open an Email in OWA—CISA Added It to KEV on May 15

CVE-2026-42897 is a CVSS 8.1 cross site scripting flaw in on prem Exchange Server. Attackers send a crafted email, the victim opens it in Outlook Web Access, and arbitrary JavaScript runs inside their authenticated mail session. There is no permanent patch yet.

A blade server in an enterprise data center rack with a single green diagnostic LED illuminated, the surrounding hardware in shadow

A Patch Tuesday That Missed One

On May 15, 2026, Microsoft quietly slipped an "Exploitation Detected" label onto a fresh CVE in its Security Response Center. Two days earlier, the May 2026 Patch Tuesday had shipped fixes for 138 separate vulnerabilities. CVE-2026-42897 was not one of them.

It is a cross site scripting bug inside Outlook Web Access on on prem Exchange Server, and an attacker can fire it by sending an email. When the recipient opens that email in OWA under "certain interaction conditions," arbitrary JavaScript executes in the browser context. CISA added it to the Known Exploited Vulnerabilities catalog the same day Microsoft disclosed it. Federal civilian agencies have until May 29, 2026 to apply the temporary mitigation.

There is still no permanent patch.

What Microsoft's Advisory Actually Says

Microsoft scored CVE-2026-42897 at CVSS 8.1. The advisory describes it as: "Improper neutralization of input during web page generation ('cross site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network."

The flaw lives in the OWA web content rendering path. Exchange Server 2016 (all update levels), Exchange Server 2019 (all update levels), and Exchange Server Subscription Edition are all affected. Exchange Online is not impacted because Microsoft serves OWA from a different code path in the hosted product.

The advisory uses the phrase "certain interaction conditions" without defining them. SOC Prime's analysis the next day noted that "there is no public CVE-2026-42897 PoC in the cited sources, and Microsoft has not published packet level or forensic IOCs." That gap is unusual for a CVE that is already on the KEV list.

Why a Browser Bug in a Mail Client Is Worse Than It Sounds

The naive read of "cross site scripting" is that someone can throw a JavaScript alert box. The actual read is that attacker controlled script is running inside a session that is already authenticated to the corporate mail server.

In an OWA session, attacker JavaScript can:

  • Read the entire mailbox the victim has access to, including any encrypted reply chains the victim has already decrypted in their browser
  • Forward, delete, or rewrite messages using the same XHR endpoints OWA uses for normal operation
  • Read and exfiltrate any session cookies that are not marked HttpOnly, plus any anti CSRF tokens embedded in the page
  • Modify mailbox rules to silently forward inbound mail to an attacker controlled address — a classic technique for ongoing access
  • Pivot to Exchange Admin Center if the victim is an admin, opening up tenant wide control

Because the entry point is "a crafted email opened in OWA," there is no malware to drop, no attachment to detonate, no link to click. The email itself is the payload. That is the same property that has made Outlook preview pane bugs like CVE-2026-40361 so valuable to nation state operators over the past two years.

The Patch That Isn't a Patch

Microsoft's first line of defense for CVE-2026-42897 is the Exchange Emergency Mitigation Service. EM Service is enabled by default on supported on prem Exchange deployments and applies protection automatically through a URL Rewrite rule. The mitigation, internally codenamed M2, blocks the specific OWA request pattern attackers are using to deliver the malicious markup.

There are at least three problems with relying on EM Service alone:

  • Administrators have routinely disabled EM Service in regulated environments because it auto applies code Microsoft pushes
  • URL Rewrite mitigations can be bypassed when researchers find a second crafted message variant that does not match the rule pattern
  • The rule is a band aid until a code level patch ships — and Microsoft has not committed to a date for that patch

This is the same playbook Microsoft used during the ProxyShell era, and the same playbook that produced months of follow on exploitation as attackers iterated past each successive URL filter.

What Defenders Should Do This Week

CVE-2026-42897 is in active exploitation, on the KEV catalog, and unpatched. The mitigation backlog should look like this:

Tonight:

  • Confirm Exchange Emergency Mitigation Service is enabled and the M2 mitigation has been auto applied. From Exchange Management Shell: Get-Mitigation -Server <name> and verify M2 is listed and active.
  • If EM Service is disabled, manually apply Microsoft's URL Rewrite rule from the Tech Community advisory.
  • Restrict OWA access at the edge to corporate VPN, Conditional Access, or known IP ranges. There is no business reason to expose OWA to the entire internet during an active zero day.

This week:

  • Pull OWA access logs and look for anomalous JavaScript heavy POST bodies and any OWA session that issued mailbox rule creation calls shortly after opening a single message.
  • Hunt for new client side inbox rules forwarding to external addresses, especially rules named like system defaults ("Junk Mail," "Calendar Updates").
  • Audit Exchange Admin Center logins for any non admin account that suddenly hit admin endpoints.

Strategic:

  • Inventory every Exchange Server you still run on prem. If you can move to Exchange Online or another hosted provider, the cost of staying on premises is no longer just operational — it is a recurring zero day tax.
  • If you cannot migrate, plan for the next two CVEs. The Exchange OWA codebase has produced a steady cadence of crafted email bugs going back to ProxyNotShell.

Why Ordinary Users Should Care, Too

If your employer runs on prem Exchange, your inbox is the soft target right now. The fact that there is no link to click and no attachment to open means the usual phishing advice — hover over links, do not enable macros — does not help here.

Two practical things you can do until your IT team confirms the mitigation is in place:

  • If your IT team offers a desktop Outlook client, use it instead of OWA in the browser until the patch ships. The Outlook desktop client does not render content the same way OWA does, and the specific code path being exploited is OWA only.
  • Treat any email from an unknown sender that contains complex HTML as suspect. Forward it to your security team rather than opening it in OWA. Most enterprise mail clients have a "view as plain text" mode that is far safer during an active OWA XSS campaign.

The Bigger Pattern

CVE-2026-42897 is the fourth major Exchange OWA flaw added to the KEV catalog in eighteen months. That is not a coincidence. OWA was built in an era where mail clients were assumed to be safe rendering surfaces. Modern attackers treat them as full web applications — which is exactly what they are, and exactly why they keep producing CVE class bugs. Similar email borne preview pane bugs in Microsoft Word and Outlook add ins have followed the same template through 2026.

Until Microsoft refactors the OWA rendering pipeline, the same pattern will keep happening: a crafted email lands, a script runs, a mailbox is silently rerouted, and a corporate inbox becomes a foothold. The federal mitigation deadline is May 29. The pattern has no deadline.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.