critical Threat analysis

Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure

CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.

Published: 2026-05-26
Read time: 5 min read
Sources: 4

On this page 0% read

Executive Summary

CISA added CVE-2026-42897 to KEV on 2026-05-15 with a due date of 2026-05-29 CISA KEV. MSRC marks exploitation detected and describes a crafted-email path where OWA user interaction can execute arbitrary JavaScript in the browser context MSRC.

MSRC does not provide a normal update table in the public advisory. The closure anchor is Exchange Emergency Mitigation Service mitigation ID M2 and evidence that the service is running, connected, and not blocked Microsoft Learn.

Key Facts

cve: "CVE-2026-42897"
vendor: "Microsoft"
product: "Exchange Server OWA"
kev_added: "2026-05-15"
kev_due: "2026-05-29"
vulnerability: "Cross-site scripting / spoofing via crafted email opened in Outlook Web Access"
cwe: ["CWE-79"]
affected_products:
  - "Exchange Server 2016"
  - "Exchange Server 2019"
  - "Exchange Server Subscription Edition"
mitigation: "Exchange Emergency Mitigation Service mitigation ID M2"
permanent_update_table: "not_available_as_of_msrc_publication"
cvss_v31: "8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
msrc_exploited: true
msrc_publicly_disclosed: false

Source Confidence & Evidence Mapping

confirmed: CISA KEV lists CVE-2026-42897 as known exploited CISA KEV.
confirmed: MSRC marks exploitation detected and describes the OWA crafted-email interaction path MSRC.
confirmed: Microsoft documents Exchange Emergency Mitigation Service and the Exchange mitigation scripts used for service and mitigation visibility Microsoft Learn.
confirmed: NVD lists CWE-79 and CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N NVD.

Impact Determination

Classification	Criteria	Required evidence	Remediation trigger	Closure condition
Confirmed compromise	OWA telemetry or mailbox audit evidence shows crafted-email interaction and follow-on mailbox/session activity while M2 is absent, blocked, or failed.	Exchange version, OWA logs, EEMS state, mailbox audit rows, timestamp, and user identity.	Preserve HttpProxy OWA logs, EEMS logs, mailbox audit logs, and suspect messages.	M2 is applied and downstream OWA/mailbox audit has no unexplained access or permission changes.
Presumed exposed	Exchange 2016, 2019, or Subscription Edition with OWA exposure has EEMS disabled, disconnected, blocked, or missing M2.	`Get-ExchangeServer`, `MSExchangeMitigation` service state, and mitigation script output.	Keep the server in scope until EEMS M2 is verified.	EEMS is running, connectivity succeeds, and M2 is present and not blocked.
Potentially exposed	Exchange server exists but OWA exposure, EEMS state, or mitigation output is missing.	Exchange Management Shell, CMDB, scanner, or proxy evidence naming Exchange/OWA.	Collect Exchange and EEMS outputs.	Server resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposed	No affected Exchange server or OWA surface is present, or M2 is verified on the server.	Negative asset evidence or mitigation verification output.	None for this CVE.	Evidence is attached to the server record.
Unknown	Exchange shell, EEMS logs, or OWA logs are unavailable.	Gap statement naming unavailable sources.	Keep internet-facing Exchange OWA servers in scope.	Evidence is recovered or the risk owner accepts the named gap.

Timeline

2026-05-14: MSRC publishes CVE-2026-42897 with exploitation detected MSRC.
2026-05-15: CISA adds CVE-2026-42897 to KEV with due date 2026-05-29 CISA KEV.
2026-05-18: MSRC updates FAQ information for CVE-2026-42897 MSRC.

What Happened

The public handling path is mitigation verification, not a package update. MSRC says EEMS provides mitigation automatically when enabled and identifies mitigation M2 as the required control path for CVE-2026-42897 MSRC.

Technical Analysis

The exploitation path requires a crafted email and OWA interaction conditions. Because the payload executes JavaScript in the browser context, mailbox session activity and OWA proxy logs are more useful than host-only process telemetry.

Affected Assets and Blast Radius

asset_selectors:
  - "Exchange Server 2016"
  - "Exchange Server 2019"
  - "Exchange Server Subscription Edition"
  - "Outlook Web Access"
  - "OWA"
mitigation_selectors:
  - "M2"
  - "MSExchangeMitigation"
  - "MitigationsApplied"
  - "MitigationsBlocked"
data_at_risk:
  - "OWA browser sessions"
  - "mailbox access"
  - "delegated mailbox permissions"
  - "message access through affected OWA sessions"

Indicators And Detection Selectors

cves: ["CVE-2026-42897"]
mitigation_id: "M2"
services: ["MSExchangeMitigation"]
paths:
  - "Logging/MitigationService"
  - "Logging/HttpProxy/Owa"
telemetry_selectors:
  - "Outlook Web Access"
  - "OWA"
  - "MitigationsApplied"
  - "MitigationsBlocked"
  - "M2"

Detection and Hunting

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-exchange-cve-2026-42897-hunt" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-42897"
$MitigationId = "M2"
$ExchangePath = $env:ExchangeInstallPath
if ([string]::IsNullOrWhiteSpace($ExchangePath)) {
  throw "ExchangeInstallPath is not set. Run in Exchange Management Shell."
}

Get-Service MSExchangeMitigation | Select-Object Name, Status, StartType |
  Export-Csv -NoTypeInformation -Path (Join-Path $Out "ms-exchange-mitigation-service.csv")
Get-ExchangeServer | Select-Object Name, Edition, AdminDisplayVersion, MitigationsEnabled, MitigationsApplied, MitigationsBlocked |
  Export-Csv -NoTypeInformation -Path (Join-Path $Out "exchange-server-mitigation-state.csv")

$Roots = @(
  (Join-Path $ExchangePath "Logging\MitigationService"),
  (Join-Path $ExchangePath "Logging\HttpProxy\Owa")
)
foreach ($Root in $Roots) {
  if (Test-Path $Root) {
    Get-ChildItem -Path $Root -Recurse -File |
      Select-String -Pattern $Cve, $MitigationId, "Outlook Web Access", "OWA", "MitigationsApplied", "MitigationsBlocked", "Failed" |
      Select-Object Path, LineNumber, Line |
      Export-Csv -NoTypeInformation -Append -Path (Join-Path $Out "exchange-cve-2026-42897-selectors.csv")
  }
}

# Positive signal: M2 absent, blocked, failed, or OWA activity tied to CVE-2026-42897 on an exposed Exchange server.
Write-Host "wrote $Out"

Patch, Mitigation, and Verification

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-exchange-cve-2026-42897-closure" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-42897"
$MitigationId = "M2"
$ExchangePath = $env:ExchangeInstallPath
if ([string]::IsNullOrWhiteSpace($ExchangePath)) {
  throw "ExchangeInstallPath is not set. Run in Exchange Management Shell."
}
$Scripts = Join-Path $ExchangePath "Scripts"

if (Test-Path (Join-Path $Scripts "Get-Mitigations.ps1")) {
  & (Join-Path $Scripts "Get-Mitigations.ps1") | Out-File -Encoding utf8 -FilePath (Join-Path $Out "get-mitigations.txt")
}
if (Test-Path (Join-Path $Scripts "Test-MitigationServiceConnectivity.ps1")) {
  & (Join-Path $Scripts "Test-MitigationServiceConnectivity.ps1") | Out-File -Encoding utf8 -FilePath (Join-Path $Out "test-mitigation-service-connectivity.txt")
}

Get-ExchangeServer | Select-Object Name, MitigationsEnabled, MitigationsApplied, MitigationsBlocked |
  ConvertTo-Json -Depth 5 | Out-File -Encoding utf8 -FilePath (Join-Path $Out "exchange-m2-state.json")

[pscustomobject]@{
  cve = $Cve
  required_mitigation_id = $MitigationId
  msrc_source = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897"
  eems_source = "https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service"
  remediation_trigger = "MSExchangeMitigation stopped, EEMS connectivity failure, M2 absent, or M2 blocked keeps CVE-2026-42897 open."
} | ConvertTo-Json | Out-File -Encoding utf8 -FilePath (Join-Path $Out "exchange-cve-2026-42897-closure-metadata.json")

# Remediation trigger: MSExchangeMitigation stopped, EEMS connectivity failure, M2 absent, or M2 blocked keeps CVE-2026-42897 open.
Write-Host "wrote $Out"

Downstream Abuse Audits

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-exchange-cve-2026-42897-downstream" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-42897"
$Since = (Get-Date).AddDays(-14)
$ExchangePath = $env:ExchangeInstallPath

if (Get-Command Search-MailboxAuditLog -ErrorAction SilentlyContinue) {
  Get-Mailbox -ResultSize Unlimited | ForEach-Object {
    Search-MailboxAuditLog -Identity $_.PrimarySmtpAddress -StartDate $Since -LogonTypes Admin,Delegate,Owner -ShowDetails -ErrorAction SilentlyContinue |
      Select-Object MailboxOwnerUPN, LogonUserDisplayName, Operation, OperationResult, LastAccessed, ClientIPAddress, ClientInfoString
  } | Export-Csv -NoTypeInformation -Path (Join-Path $Out "mailbox-audit-cve-2026-42897-window.csv")
}

if ($ExchangePath) {
  $OwaRoot = Join-Path $ExchangePath "Logging\HttpProxy\Owa"
  if (Test-Path $OwaRoot) {
    Get-ChildItem -Path $OwaRoot -Recurse -File |
      Select-String -Pattern $Cve, "OWA", "Outlook Web Access", "M2", "CVE-2026-42897" |
      Select-Object Path, LineNumber, Line |
      Export-Csv -NoTypeInformation -Path (Join-Path $Out "owa-selector-lines.csv")
  }
}

# Positive signal: OWA session activity or mailbox access after crafted-email interaction on a server where M2 was absent, blocked, or failed.
# Remediation trigger: unexplained OWA or mailbox access keeps affected browser sessions and mailboxes in scope.
Write-Host "wrote $Out"