Exchange Vulnerability Turns OWA Into Script-Launching Tool

A vulnerability in on-premises Exchange Server that could cause victims’ browsers to execute unexpected scripts has been discovered by Microsoft.

The vulnerability, known as CVE-2026-42897, which has been tracked, impacts Outlook Web Access (OWA) and can be activated via a specifically constructed email that is opened in OWA, provided that “certain interaction conditions are met.” Attackers can execute JavaScript arbitrarily within the browser context of the mark as a reward.

The vulnerability in Outlook Web Access (OWA) allows unauthorized malicious payloads to execute in user mailboxes.

Administrators will be alarmed by the advisory’s description of the problem as a spoofing vulnerability resulting from cross-site scripting, which seems to be being exploited. The bug received an 8.1 CVSS score. 

Regardless of their degree or level of upgrade, Exchange Server 2016, 2019, and the most recent version, Exchange Server Subscription Edition (SE), are all impacted. The Exchange Emergency Mitigation (EM) Service has made a mitigation available.

Microsoft had cautioned that the mitigation might cause other issues, such as the OWA Print Calendar feature not working (alternatively, Microsoft advises the use of a screenshot or the Outlook desktop client instead) and inline graphics ceasing to operate in the recipient’s OWA reading pane (alternatively, Microsoft advises the use of attachments).

Lastly, OWA Light may not function correctly. And the affected users should think about upgrading, as Microsoft deprecated this in the 2024 edition.

In a situation(s) when clients are not utilizing the EM service, the mitigation can also be manually implemented. These might be in air-gapped or disconnected environments, which are precisely the kinds of settings where on-premises Exchange tends to exist.

Although only the Exchange SE version will be made accessible to the general public, Microsoft is working on a complete security update. It will only be available to Exchange 2016 and 2019 when users are signed up for Period 2 of the Exchange Server Extended Security Updates (ESU) program. This month marked the start of the second Exchange Server ESU period, and Microsoft issued a strong warning that there would be no further extensions to users. Exchange Online is not impacted by the issue.

Microsoft has not disclosed any information regarding the exploit’s functionality or the extent to which it is being used. 

While Microsoft prepares a permanent security update, administrators should verify that automated mitigations are active via the Exchange Emergency Mitigation Service using the Health Checker script or deploy the standalone EOMT tool on offline networks, but note that these measures may temporarily disrupt inline image rendering and calendar printing in OWA.