CISA has escalated the urgency around a cross-site scripting (XSS) flaw in Microsoft Exchange Server’s Outlook Web Access (OWA) by adding CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026. This move signals active exploitation in the wild, making it mandatory for U.S. federal agencies—and a critical priority for all organizations—to remediate the vulnerability within a tight deadline. The vulnerability affects on-premises Exchange servers running OWA, a component that provides browser-based email access to millions of users worldwide.

CISA Adds CVE-2026-42897 to KEV Catalog

The Cybersecurity and Infrastructure Security Agency maintains the KEV catalog as part of Binding Operational Directive (BOD) 22-01, which requires federal civilian executive branch agencies to patch vulnerabilities that are known to be exploited by adversaries. With the addition of CVE-2026-42897, agencies have until June 5, 2026—three weeks from catalog inclusion—to apply the available patches or implement compensating controls. Non-compliance can lead to significant security gaps, as these vulnerabilities are actively being used in attacks to compromise systems.

CISA’s decision to list the vulnerability underscores the severity of the threat. The catalog is reserved for flaws that are both exploitable and actively targeted, meaning that security teams should treat this as an emergency, not a routine update. While the directive is binding for federal agencies, CISA strongly recommends that all organizations, particularly those with internet-facing Exchange servers, prioritize remediation.

What is CVE-2026-42897?

CVE-2026-42897 is a cross-site scripting vulnerability in Microsoft Exchange Server’s Outlook Web Access interface. The flaw allows an attacker to inject malicious scripts into the OWA session of a victim, typically by crafting a specially formulated URL or by embedding script code in an email that gets rendered in the OWA web client. When the victim views the malicious content, the script executes in the context of the user’s browser, with the same permissions and access as the legitimate OWA session.

Microsoft addressed the vulnerability in the May 2026 security updates for Exchange Server. The patches are available for all supported versions, including Exchange Server 2016, Exchange Server 2019, and subscriptions of Exchange Server with the latest cumulative updates. The company’s security update guide classifies the vulnerability as “Important” because it could lead to elevation of privilege or information disclosure if exploited. However, due to active exploitation, the practical risk is higher than the rating might suggest.

Technical Details

The XSS vulnerability exists because OWA improperly sanitizes user-supplied input before reflecting it in HTTP responses. In a typical reflected XSS scenario, an attacker could send a targeted email containing a malicious link to an Exchange user. If the user clicks the link while signed into OWA, the server might echo back the injected script without proper encoding, leading to execution in the browser. Alternatively, a stored XSS variant could be possible if an attacker can inject a script into a shared mailbox element that is later viewed by another user.

Once the script executes, the attacker can perform actions on behalf of the victim, such as reading emails, sending messages, modifying mailbox rules, or even exfiltrating the session token to gain persistent access. Because OWA is often exposed to the internet, this vulnerability is particularly dangerous for organizations that have not yet applied the patch.

Affected Components

The Outlook Web Access component is the primary target. It functions as a web-based client for Exchange server mailboxes, enabling users to check email, calendars, and contacts through a browser. OWA is typically deployed on the Exchange server’s Client Access role and is accessible via HTTPS on the internet or internally. The XSS flaw resides in the way OWA handles certain parameters during request processing. While Microsoft has not disclosed the exact parameter or vector to protect unpatched systems, independent researchers have noted that similar past vulnerabilities involved crafted URLs with malicious JavaScript in the owalight.aspx or attachment.ashx paths.

OWA XSS Attacks: How They Work

Cross-site scripting attacks against webmail interfaces like OWA are a classic vector for credential theft and session hijacking. In this case, an attacker could craft a phishing email that directs the user to a seemingly legitimate OWA URL—except the URL contains encoded JavaScript. When the victim clicks, the OWA server reflects the script back as part of an error message or a legitimate page, causing the browser to execute it.

From there, the attacker’s script can:
- Steal session cookies and authentication tokens, allowing the attacker to impersonate the user.
- Redirect the user to a phishing page that mimics the OWA login screen to harvest credentials.
- Modify inbox rules to forward sensitive emails to an external account.
- Perform data exfiltration by sending emails with attachments to attacker-controlled addresses.
- Execute further attack staging, such as detecting network information for lateral movement.

Because OWA is often the primary method for remote workers to access corporate email, a successful XSS attack can have far-reaching consequences, including business email compromise (BEC) and data breaches.

The CISA KEV Mandate and Deadlines

Under BOD 22-01, federal agencies must remediate KEV-listed vulnerabilities within the timeframe specified by CISA. For CVE-2026-42897, the due date is June 5, 2026. Agencies are required to report their remediation status through federal compliance platforms. Failure to meet the deadline can result in audit findings and increased scrutiny, but more importantly, it leaves critical systems open to exploitation.

While the binding directive applies strictly to federal agencies, private-sector organizations should adopt the same urgency. CISA’s KEV catalog is widely followed as an industry standard for prioritization, and many cybersecurity insurance providers and compliance frameworks reference it. Organizations that fail to patch KEV-listed vulnerabilities may also face liability issues if a breach occurs.

Mitigation and Patching Strategies

Immediate Action: Apply Microsoft’s May 2026 Security Updates

The most effective mitigation is to install the Exchange Server security update released in May 2026. Microsoft typically releases updates on the second Tuesday of each month, and the patch addresses CVE-2026-42897 specifically. To apply the fix:
- Identify the Exchange Server version and current cumulative update level.
- Download the appropriate security patch from the Microsoft Update Catalog or Windows Update.
- Follow Microsoft’s installation guidance: run the update from an elevated command prompt, and ensure all Exchange services are running.
- After installation, verify that the HttpProxy and OWA modules are functioning correctly by testing access.

Workarounds for Delayed Patching

If immediate patching is not feasible, organizations can implement compensating controls:
- Disable OWA internally or externally if it is not required. This can be done by modifying the Exchange virtual directory settings or blocking OWA paths at the firewall. Use the following Exchange Management Shell command to disable OWA: Set-OwaVirtualDirectory -Identity "$Server\owa (Default Web Site)" -OutlookWebAccessEnabled $false.
- Deploy a web application firewall (WAF) with rulesets that block common XSS payloads, specifically filtering HTTP requests to OWA URLs for script tags and event handlers.
- Implement strict Content Security Policy (CSP) headers on the OWA web application to restrict inline script execution. This can be configured in IIS or through a reverse proxy. For example, adding a Content-Security-Policy: script-src 'self' header can prevent most XSS attacks.
- Enable URL rewriting or scanning at the email gateway to detect and strip suspicious links that contain JavaScript, especially in URLs pointing to the organization’s OWA domain.

Post-Patching Validation

After applying the patch, security teams should:
- Run the Exchange Health Checker script to confirm that all security updates are installed and no anomalies exist.
- Monitor Exchange server logs for unusual OWA request patterns, especially those containing script tags or encoded characters.
- Conduct a penetration test focused on the OWA endpoint to ensure the XSS vector is closed.

Detection and Long-Term Defenses

Monitoring for Exploitation Attempts

Organizations should proactively hunt for indicators of compromise (IOCs) related to CVE-2026-42897. While specific IOCs may be published by security vendors, general detection strategies include:
- Analyzing IIS logs for OWA requests that contain JavaScript keywords like script, onerror, onload, or eval. Look for requests to /owa/auth/ or /owa/ paths with unusually long query strings.
- Reviewing Exchange mailbox audit logs for signs of unauthorized inbox rule creation or message forwarding.
- Checking OWA web page source code or server-side logs for modifications that might indicate a stored XSS exploit.

Strengthening Exchange Server Security Posture

Given the frequent targeting of Exchange servers, organizations should adopt a defense-in-depth approach:
- Segment Exchange servers from the rest of the network and restrict internet access to only necessary ports (443/TCP for OWA and EWS, if required).
- Require multi-factor authentication (MFA) for OWA and other Exchange web services. While MFA doesn’t directly prevent XSS, it adds a critical layer in case session tokens are stolen.
- Update regularly – not just security patches, but also cumulative updates. Running an older, unsupported cumulative update leaves systems vulnerable to multiple known exploits.
- Monitor for anomalous OWA activity using SIEM correlation rules. For example, alert on multiple OWA logins from unusual IP addresses or sessions that access an unrealistic number of mailboxes.

The Broader Exchange Security Landscape

The addition of CVE-2026-42897 to the KEV catalog is part of a troubling trend. Microsoft Exchange servers have been high-value targets for cybercriminals and state-sponsored groups for years. Vulnerabilities like ProxyLogon (CVE-2021-26855), ProxyShell (CVE-2021-34473), and ProxyNotShell (CVE-2022-41040) led to widespread exploitation and ransomware attacks. Each time, the common thread was delayed patch deployment, leaving internet-facing Exchange servers exposed.

CVE-2026-42897, while categorized as a client-side XSS, should not be underestimated. Attackers can combine it with social engineering to compromise privileged accounts. Furthermore, because OWA is the most exposed component of Exchange, any vulnerability in it provides an open door to internal mailboxes.

The May 2026 security update also addresses other vulnerabilities, and organizations that defer this patch risk additional exposures. Microsoft’s security patch bundle includes fixes for remote code execution (RCE) flaws that could be chained with this XSS to achieve deeper system access.

Conclusion: Patch Now Before It’s Too Late

The inclusion of CVE-2026-42897 in CISA’s KEV catalog removes any doubt about the urgency of this vulnerability. With active exploitation underway and a binding three-week deadline for federal agencies, security teams must act decisively. Patching should be the primary focus, supplemented by workarounds where immediate updates are impossible.

Exchange administrators should also use this as an opportunity to audit the overall security posture of their messaging infrastructure. OWA XSS vulnerabilities rarely exist in isolation; they often expose broader weaknesses in input validation, output encoding, and web application hardening. By applying the May 2026 patches, enabling MFA, and enhancing monitoring, organizations can not only mitigate this threat but also build resilience against future attacks.

For detailed information, refer to the Microsoft Security Update Guide and CISA’s Known Exploited Vulnerabilities Catalog. Do not wait until a breach occurs—the time to act is now.