Microsoft has released KB5094139 to address CVE-2026-42897, a critical security vulnerability in Exchange Server’s Outlook on the web (OWA) component. The patch ships as part of the Subscription Edition RTM Security Update 7 (SU7) and is rated Important. Organizations still running Exchange Server 2016 or Exchange Server 2019 must purchase an Extended Security Update (ESU) license to receive the fix for those unsupported versions, which remain in ESU Period 2.

CVE-2026-42897 enables remote code execution via crafted OWA requests, potentially allowing an attacker to compromise the server without authentication. The flaw stems from insufficient input sanitization in the OWA session handling mechanism. Attackers can exploit it by sending specially crafted HTTP requests to an affected Exchange server. Successful exploitation grants SYSTEM-level privileges, making it a high-priority threat for any internet-facing Exchange deployment.

Vulnerability Details

The vulnerability resides in the core OWA authentication logic, affecting all supported Exchange Subscription Edition builds prior to RTM SU7. Microsoft’s internal researchers discovered the bug during an automated code audit and have found no evidence of active exploitation at the time of disclosure. Nevertheless, the public release of the patch signals urgency. Organizations with on-premises, hybrid, or cloud-managed Exchange instances must act quickly.

The CVE-2026-42897 advisory notes two critical attributes:

  • Attack vector: Network
  • Attack complexity: Low
  • Privileges required: None
  • User interaction: None

This combination means an unauthenticated remote attacker can reliably compromise any unpatched Exchange server reachable over HTTP(S). While Microsoft has not specified whether public proof-of-concept code exists, history shows that such OWA vulnerabilities often see rapid weaponization within days of patch release.

What KB5094139 Delivers

KB5094139 is not a stand-alone hotfix; it rolls up all previously released security and quality improvements for Exchange Server Subscription Edition. Applying the update brings the server to build 15.2.1978.7 (RTM SU7). For hybrid environments, the update also includes enhancements to OAuth authentication that strengthen compatibility with Exchange Online and the modern hybrid wizard.

Key components patched in KB5094139:

  • Sanitizes OWA session tokens to prevent cross-site scripting (XSS) and request forgery
  • Hardens the OWA authentication endpoint against injection attacks
  • Adds request throttling and rate limiting for OWA logon pages
  • Backports Azure AD authentication improvements to improve SSO reliability in hybrid deployments

Exchange administrators who already run Subscription Edition RTM SU6 or earlier can install KB5094139 directly via Windows Update, the standalone .msp package, or the Microsoft Update Catalog. The update does not require a schema change, but mounting and unmounting databases is necessary when applying to Mailbox servers.

Deployment Guidance

Microsoft strongly advises patching immediately, especially for servers accessible from the internet. The recommended steps are:

  1. Verify all Exchange servers run a supported OS (Windows Server 2019, 2022, or equivalent).
  2. For Subscription Edition, download KB5094139 from the Microsoft Update Catalog or install via an approved patch management solution.
  3. Run the update in maintenance mode, freeing databases and stopping services in the correct order.
  4. Reboot the server and carefully monitor Application and System event logs for any unexpected errors.

Pilot testing in a staging environment is essential because KB5094139 introduces behavioral changes to OWA request handling. Some third-party reverse proxies or Web Application Firewalls (WAFs) may misinterpret the new token format and block legitimate user traffic.

Several early adopters in the Exchange tech community forum report smooth upgrades, but a handful of posts highlight a transient issue with OWA redirects immediately after patching. The workaround involved clearing the OWA authentication cache and restarting the Exchange Back End website. Microsoft’s support article for KB5094139 acknowledges this and provides a script to automate the cache reset.

Extended Security Updates for Exchange 2016 and 2019

Organizations that have not yet migrated to Exchange Server Subscription Edition face a more complicated path. Exchange Server 2016 and Exchange Server 2019 exited mainstream support in 2023 and are now in ESU Period 2. CVE-2026-42897 affects these versions as well, but you cannot obtain KB5094139 for them without an active ESU license.

The ESU program for Exchange works similarly to Windows Server ESUs. Customers must:

  • Purchase ESU skus through a Microsoft Volume Licensing agreement or a Cloud Solution Provider.
  • Install the ESU activation key on every covered Exchange server.
  • Download the ESU-specific security update for their Exchange 2016/2019 CU that is otherwise identical to the SU7 package in terms of CVE mitigation.

Microsoft has set a deadline for ESU Period 2 coverage through 2026, after which no further security updates will be produced for Exchange 2016 or 2019. This CVE underscores the urgency of completing migration plans to the Subscription Edition or moving to Exchange Online before the ESU clock runs out.

Hybrid Environment Considerations

Over 60% of Exchange on-premises deployments are now in hybrid mode, according to recent industry surveys. KB5094139 brings specific improvements for such configurations:

  • The Hybrid Agent auto-update component now correctly chains with the SU7 installer, preventing a scenario where the agent version falls behind.
  • Modern authentication for Outlook on the web now defaults to OAuth 2.1, dropping support for the deprecated OrganizationId token flow.
  • The Update-HybridConfiguration cmdlet has been updated to enforce the new OWA endpoint security settings across the hybrid fleet.

Hybrid administrators should review the “Hybrid Modern Authentication” documentation after applying SU7, because some custom PowerShell scripts may need updating to accommodate the revised token flow.

Community Reaction and Known Issues

Early posts on the Windows Forum Exchange thread reflect a mixture of relief and frustration. One administrator reported that the update closed a gap they had been monitoring since an internal penetration test flagged OWA as a weak point. Another highlighted the complexity of ESU licensing, noting that their organization spent weeks negotiating with their CSP just to purchase the required keys.

Beyond the OWA redirect hiccup, few widespread bugs have been reported. A small number of users noticed that the Exchange Management Shell throws an access-denied error when running Get-OwaVirtualDirectory immediately after the update. Microsoft’s release health dashboard confirms the issue and advises restarting the WinRM service or rebooting the server a second time.

Mitigations for Organizations That Cannot Patch Immediately

While patching is the only complete remedy, Microsoft lists one partial mitigation for CVE-2026-42897:

  • Restrict OWA access to trusted networks using IP and domain restrictions in IIS or a perimeter firewall.
  • Disable OWA entirely if the feature is not required, though this is rarely practical in enterprise environments.

Because the attack vector is network-based and does not require authentication, these mitigations are insufficient as a long-term substitute. Attackers who gain a foothold inside the trusted network or who bypass network-level controls can still exploit the vulnerability. Organizations should prioritize full patching over temporary workarounds.

Timeline and Next Steps

  • April 8, 2025: CVE-2026-42897 reserved and investigated internally by Microsoft.
  • May 13, 2025: Preliminary disclosure to MAPP partners and select ESU customers.
  • May 20, 2025: Public release of KB5094139 via Windows Update and the Microsoft Update Catalog.
  • May 27, 2025: Expected publication of a Microsoft Defender for Identity detection signature.
  • June 2025: Anticipated addition of CVE-2026-42897 exploit detection to network scanning tools such as Qualys and Tenable.

Microsoft’s security blog accompanying the patch hints at a separate OWA hardening feature slated for the next quarterly update, which will further restrict legacy authentication protocols. Exchange administrators should start auditing their OWA configurations now and eliminate any reliance on Basic authentication for OWA, as this will be fully disabled in a future update.

The Bigger Picture

CVE-2026-42897 is the third critical OWA vulnerability patched in the last eighteen months, signaling that attackers continue to probe this attack surface. The Subscription Edition—intended to be the modern, evergreen foundation for on‑premises Exchange—has thus far met its promise of faster patching and fewer breaking changes compared to the old cumulative update model. But the ESU dependency for legacy versions adds a financial and logistical burden that many small and mid-size organizations are struggling to manage.

Industry analysts recommend that any company planning to stay on Exchange Server on‑premises should budget for Subscription Edition licensing and annual maintenance. For those who cannot justify the cost, a migration to Exchange Online or a supported third-party email platform becomes increasingly unavoidable.

Administrators who need immediate assistance can reach out via the Microsoft Q&A forum or the Exchange Server Tech Community. The update itself is available on the Microsoft Update Catalog and detailed in Microsoft Knowledge Base Article 5094139.

Patching CVE-2026-42897 is not optional. The combination of unauthenticated remote code execution and a public patch release makes every unpatched Exchange server a ticking time bomb.