Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure

Suspected
Discovered May 26, 2026

CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.

0
Affected Packages
0
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-42897 to KEV on 2026-05-15 with a due date of 2026-05-29 CISA KEV opens in a new tab. MSRC marks exploitation detected and describes a crafted-email path where OWA user interaction can execute arbitrary JavaScript in the browser context MSRC opens in a new tab.

MSRC does not provide a normal update table in the public advisory. The closure anchor is Exchange Emergency Mitigation Service mitigation ID M2 and evidence that the service is running, connected, and not blocked Microsoft Learn opens in a new tab.

Key Facts

Cve: CVE-2026-42897

Vendor: Microsoft

Product: Exchange Server OWA

Kev Added: 2026-05-15

Kev Due: 2026-05-29

Vulnerability: Cross-site scripting / spoofing via crafted email opened in Outlook Web Access

Cwe:

  • CWE-79

Affected Products:

  • Exchange Server 2016
  • Exchange Server 2019
  • Exchange Server Subscription Edition

Mitigation: Exchange Emergency Mitigation Service mitigation ID M2

Permanent Update Table: not_available_as_of_msrc_publication

Cvss V31: 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Msrc Exploited: true

Msrc Publicly Disclosed: false

Evidence Assessment

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseOWA telemetry or mailbox audit evidence shows crafted-email interaction and follow-on mailbox/session activity while M2 is absent, blocked, or failed.Exchange version, OWA logs, EEMS state, mailbox audit rows, timestamp, and user identity.Preserve HttpProxy OWA logs, EEMS logs, mailbox audit logs, and suspect messages.M2 is applied and downstream OWA/mailbox audit has no unexplained access or permission changes.
Presumed exposedExchange 2016, 2019, or Subscription Edition with OWA exposure has EEMS disabled, disconnected, blocked, or missing M2.Get-ExchangeServer, MSExchangeMitigation service state, and mitigation script output.Keep the server in scope until EEMS M2 is verified.EEMS is running, connectivity succeeds, and M2 is present and not blocked.
Potentially exposedExchange server exists but OWA exposure, EEMS state, or mitigation output is missing.Exchange Management Shell, CMDB, scanner, or proxy evidence naming Exchange/OWA.Collect Exchange and EEMS outputs.Server resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposedNo affected Exchange server or OWA surface is present, or M2 is verified on the server.Negative asset evidence or mitigation verification output.None for this CVE.Evidence is attached to the server record.
UnknownExchange shell, EEMS logs, or OWA logs are unavailable.Gap statement naming unavailable sources.Keep internet-facing Exchange OWA servers in scope.Evidence is recovered or the risk owner accepts the named gap.

What Happened

The public handling path is mitigation verification, not a package update. MSRC says EEMS provides mitigation automatically when enabled and identifies mitigation M2 as the required control path for CVE-2026-42897 MSRC opens in a new tab.

Technical Analysis

The exploitation path requires a crafted email and OWA interaction conditions. Because the payload executes JavaScript in the browser context, mailbox session activity and OWA proxy logs are more useful than host-only process telemetry. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • Exchange Server 2016
  • Exchange Server 2019
  • Exchange Server Subscription Edition
  • Outlook Web Access
  • OWA

Mitigation Selectors:

  • M2
  • MSExchangeMitigation
  • MitigationsApplied
  • MitigationsBlocked

Data At Risk:

  • OWA browser sessions
  • mailbox access
  • delegated mailbox permissions
  • message access through affected OWA sessions

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

The following PowerShell script can be executed to apply mitigations or verify the patch status:

$ErrorActionPreference = "Stop"
$Out = $env:OUT
if ([string]::IsNullOrWhiteSpace($Out)) { $Out = "hp-exchange-cve-2026-42897-closure" }
New-Item -ItemType Directory -Force -Path $Out | Out-Null

$Cve = "CVE-2026-42897"
$MitigationId = "M2"
$ExchangePath = $env:ExchangeInstallPath
if ([string]::IsNullOrWhiteSpace($ExchangePath)) {
  throw "ExchangeInstallPath is not set. Run in Exchange Management Shell."
}
$Scripts = Join-Path $ExchangePath "Scripts"

if (Test-Path (Join-Path $Scripts "Get-Mitigations.ps1")) {
  & (Join-Path $Scripts "Get-Mitigations.ps1") | Out-File -Encoding utf8 -FilePath (Join-Path $Out "get-mitigations.txt")
}
if (Test-Path (Join-Path $Scripts "Test-MitigationServiceConnectivity.ps1")) {
  & (Join-Path $Scripts "Test-MitigationServiceConnectivity.ps1") | Out-File -Encoding utf8 -FilePath (Join-Path $Out "test-mitigation-service-connectivity.txt")
}

Get-ExchangeServer | Select-Object Name, MitigationsEnabled, MitigationsApplied, MitigationsBlocked |
  ConvertTo-Json -Depth 5 | Out-File -Encoding utf8 -FilePath (Join-Path $Out "exchange-m2-state.json")

[pscustomobject]@{
  cve = $Cve
  required_mitigation_id = $MitigationId
  msrc_source = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897"
  eems_source = "https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service"
  remediation_trigger = "MSExchangeMitigation stopped, EEMS connectivity failure, M2 absent, or M2 blocked keeps CVE-2026-42897 open."
} | ConvertTo-Json | Out-File -Encoding utf8 -FilePath (Join-Path $Out "exchange-cve-2026-42897-closure-metadata.json")

# Remediation trigger: MSExchangeMitigation stopped, EEMS connectivity failure, M2 absent, or M2 blocked keeps CVE-2026-42897 open.
Write-Host "wrote $Out"

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026DiscoveryDiscovery recorded for Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure.nvd.nist.gov
May 26, 2026First seenFirst seen recorded for Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure.nvd.nist.gov
May 26, 2026Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation ExposureUnknownnvd.nist.gov
May 26, 2026DisclosureDisclosure recorded for Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure.nvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-microsoft-exchange-cve-2026-42897-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.
cisa.govSecurity Researcher95%1CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.
msrc.microsoft.comSecurity Researcher95%1CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.
learn.microsoft.comSecurity Researcher95%1CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.