CISA has added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability affecting Outlook Web Access (OWA), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Security Affairs reports that Microsoft has confirmed exploitation in the wild and issued temporary mitigations while defenders wait for a permanent security update.
That combination should move this issue to the top of the queue for any organization still running on-premises Exchange: internet-facing email, browser-based access, active exploitation, and no full patch yet. For small businesses, managed service providers, and government contractors, Exchange is not just another server. It is a high-value identity, communications, and workflow platform that often touches every user in the organization.
What was reported
According to Security Affairs, CVE-2026-42897 is an improper input neutralization issue in Microsoft Exchange Server that can allow spoofing over the network. The report notes that the issue affects Outlook Web Access and may be triggered when a user opens a specially crafted email in OWA under certain conditions.
CISA’s alert states that the vulnerability has been added to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by the required due date, and CISA strongly urges private-sector organizations to prioritize the same catalog as part of vulnerability management.
Microsoft’s advisory for CVE-2026-42897 should be treated as the authoritative source for affected versions, mitigation status, and update availability.
Why this matters
Exchange vulnerabilities remain dangerous because email sits at the center of business operations. Even when a flaw is described as cross-site scripting or spoofing rather than remote code execution, defenders should avoid downplaying it. In OWA, attacker-controlled script can run in a trusted browser session, creating opportunities for credential theft, token abuse, email rule manipulation, internal phishing, or follow-on compromise depending on the user context and exploit chain.
For organizations with government customers, the risk is bigger than mailbox access. Email often contains proposal data, contract discussions, invoices, HR records, incident reports, legal correspondence, password reset flows, and supplier communications. A foothold in email can become a foothold in the business.
Immediate defensive actions
- Identify exposure: Confirm whether any on-premises Exchange Server systems expose OWA or Exchange admin interfaces to the internet.
- Apply Microsoft mitigations: Follow Microsoft’s CVE-2026-42897 guidance exactly, and document when mitigations were applied.
- Restrict access: If operationally possible, limit OWA access to VPN, trusted IP ranges, conditional access, or an identity-aware proxy.
- Hunt for suspicious OWA activity: Review access logs, unusual user agents, abnormal mailbox access patterns, unexpected inbox rules, and suspicious authentication events.
- Watch for post-exploitation behavior: Look for new forwarding rules, OAuth consent abuse, mailbox delegation changes, unexplained downloads, and login activity from unfamiliar geography or infrastructure.
- Prepare for patch deployment: Do not wait until the patch arrives to plan maintenance windows, rollback steps, backups, and validation checks.
Bulwark Black assessment
The practical takeaway is not just “patch Exchange.” The better lesson is that externally reachable collaboration platforms need an emergency mitigation playbook before the next zero-day appears. That playbook should define who can restrict access, who validates logs, who communicates user impact, how compensating controls are approved, and how leadership receives a plain-English risk update.
If your organization depends on on-premises Exchange, this is also a good moment to revisit whether OWA truly needs broad internet exposure. Many breaches succeed because critical services remain publicly reachable by default long after the original business reason has faded. Reducing exposure is not glamorous, but it is one of the fastest ways to lower real-world risk.
Source: Security Affairs — U.S. CISA adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog. Additional references: CISA KEV alert and Microsoft MSRC advisory.
