Exploits

Exchange Server XSS Spoofing Vulnerability Exploited in Wild

Published  ·  10 min read
Updated on May 15, 2026

Microsoft has disclosed a new security vulnerability affecting on-premise versions of Exchange Server, and the company confirmed that the flaw has come under active exploitation in the wild.

The Exchange Server XSS spoofing exploited vulnerability is tracked as CVE-2026-42897, and it carries a CVSS score of 8.1 which is considered high severity, and Microsoft has tagged it with an "Exploitation Detected" assessment.

An anonymous researcher discovered and reported the issue, and Microsoft described the flaw as a cross-site scripting (XSS) spoofing bug stemming from improper neutralization of input during web page generation.

What Is the Vulnerability?

The Exchange Server XSS spoofing exploited vulnerability allows an unauthorized attacker to perform spoofing over a network, and the attack works when an attacker sends a crafted email to a user.

When the user opens the email in Outlook Web Access (OWA) and subject to certain interaction conditions, arbitrary JavaScript code can be executed in the context of the web browser.

The Exchange Server XSS spoofing exploited flaw is a classic cross-site scripting vulnerability, but in the context of Exchange Server it is particularly dangerous because OWA is a trusted application within organizations.

An attacker who successfully exploits this flaw could read the user's emails, send emails as the user, access calendar information, and steal contacts, all while the user thinks they are just reading a normal email.

Affected Versions

The Exchange Server XSS spoofing exploited vulnerability affects all currently supported on-premises versions of Exchange Server.

Exchange Server 2016 at any update level is vulnerable, Exchange Server 2019 at any update level is vulnerable, and Exchange Server Subscription Edition (SE) at any update level is also vulnerable.

Microsoft confirmed that Exchange Online (the cloud version) is not impacted by this vulnerability, only on-premises Exchange Servers are affected.

This is a significant distinction because many organizations have moved to Exchange Online, but those still running on-premises servers need to take action immediately.

Active Exploitation

Microsoft has confirmed that the Exchange Server XSS spoofing exploited vulnerability is being actively used in attacks, but the company provided few details about the exploitation.

There are currently no details about how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts, and it is also unclear who the targets are and if any of those attacks were successful.

What Microsoft did confirm is that the vulnerability meets the threshold for an "Exploitation Detected" tag, meaning real attackers are using this flaw right now.

The Exchange Server XSS spoofing exploited vulnerability requires the victim to open a crafted email in OWA and then perform certain interactions, but given the prevalence of email as an attack vector, this is not a significant barrier for attackers.

The Exchange Emergency Mitigation Service

Microsoft is providing a temporary mitigation for the Exchange Server XSS spoofing exploited vulnerability through its Exchange Emergency Mitigation Service (EEMS).

The Exchange Emergency Mitigation Service provides mitigation automatically via a URL rewrite configuration, and it is enabled by default on most Exchange Server installations.

If the service is not enabled, administrators are advised to enable the Windows service, and the mitigation will then apply automatically without requiring manual intervention.

The Exchange Server cross-site scripting (XSS) vulnerability can be mitigated by rewriting specific URLs to correctly redirect malicious requests from related applications back to the Exchange Server; Microsoft is also developing a permanent fix for this vulnerability.

Manual Mitigation Steps for Air-Gapped Exchange Servers

For organizations unable to utilize the Exchange Emergency Mitigation Service (due to air-gap limitations or other security policies), Microsoft has provided manual mitigation instructions to assist in implementing mitigations via the Exchange On-Premises Mitigation Tool (EOMT).

Administrators should download the latest version of the EOMT from aka[.]ms/UnifiedEOMT, and then apply the mitigation via an elevated Exchange Management Shell (EMS).

For a single server, run: .\EOMT.ps1 -CVE "CVE-2026-42897"

For all servers (excluding Edge role servers), run: Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

The Exchange Server XSS spoofing exploited mitigation can be applied to one server at a time or to all servers at once depending on the organization's needs.

Known Issue with the Mitigation Tool

Microsoft acknowledged a known issue with the Exchange Server XSS spoofing exploited mitigation where the tool shows the message "Mitigation invalid for this exchange version" in the Description field.

The Exchange Team explained that this issue is cosmetic, and the mitigation does apply successfully if the status is shown as 'Applied', and they are investigating how to address the display issue.

Administrators should check the status field rather than the description field to confirm that the Exchange Server XSS spoofing exploited mitigation was applied successfully.

How the Attack Works

The Exchange Server XSS spoofing exploited vulnerability is a cross-site scripting flaw in Outlook Web Access.

When an attacker sends a crafted email to a user, the email contains malicious JavaScript code that is not properly neutralized by Exchange Server.

When the user opens the email in OWA and performs certain interactions (which Microsoft did not fully detail), the JavaScript code executes in the context of the user's browser.

Because the code runs in the context of OWA, it has access to the user's session token, the Exchange Server XSS spoofing exploited attack can then read emails, send messages, modify calendar events, and access contacts all without the user's knowledge.

The "spoofing" aspect of the Exchange Server XSS spoofing exploited vulnerability comes from the fact that the attacker can impersonate the user within the OWA session, and any action taken appears to come from the legitimate user.

The Role of Interaction Conditions

Interaction conditions play an integral part in exploiting the Exchange Server XSS (Cross Site Scripting) vulnerability, according to Microsoft. Specifically, after opening the email, the user must perform an action to initiate the attack on the Exchange Server XSS spoofing vulnerability. 

Examples of actions required include: clicking a hyperlink (i.e. a link), hovering over a link (i.e., a button) or performing an action that causes a response back to the attacker (i.e. replying to the email). The Exchange Server XSS Spoofing vulnerability cannot be exploited with a "No Click" attack.

However, interaction conditions significantly lower the barrier for attackers because users are trained to interact with emails, and a well-crafted phishing email can easily trick users into performing the required actions.

The Exchange Server XSS spoofing exploited vulnerability is still very dangerous despite requiring interaction, email remains the primary attack vector for most cyber incidents.

Why On-Premises Exchange Is at Risk

Microsoft has been encouraging organizations to move to Exchange Online for years, and security is one of the primary reasons.

Exchange Online benefits from Microsoft's continuous monitoring, automatic updates, and cloud-scale security infrastructure, and the Exchange Server XSS spoofing exploited vulnerability does not affect Exchange Online at all.

On-premises Exchange Servers require organizations to manage their own updates, monitor their own logs, and respond to their own incidents, and many organizations lack the staff or expertise to do this effectively.

The Exchange Server XSS spoofing exploited vulnerability is the latest reminder that on-premises Exchange requires dedicated security attention.

How to Protect Your Exchange Server

The Exchange Server XSS spoofing exploited vulnerability is under active attack.

Here is what you need to do:

1. Enable the Exchange Emergency Mitigation Service. This service is enabled by default on most Exchange Servers, but verify that it is running, the Exchange Server XSS spoofing exploited mitigation will apply automatically.

2. If EEMS is not an option, run the manual mitigation. Download the EOMT and run the script on all Exchange Servers, the manual mitigation works even on air-gapped systems.

3. Apply the permanent patch when available. Microsoft is working on a permanent fix for the Exchange Server XSS spoofing exploited vulnerability, install it as soon as it is released.

4. Monitor your OWA access log for anomalies such as strange IP addresses and date/time stamps that would indicate an attacker trying to access OWA via a spoofed Exchange Server XSS attack.

5. Train users about OWA threats. Users should be suspicious of any email that asks them to interact with OWA in unexpected ways, the Exchange Server XSS spoofing exploited vulnerability relies on user interaction.

The Anonymous Researcher

Microsoft credited an anonymous researcher with discovering and reporting the Exchange Server XSS spoofing exploited vulnerability.

The researcher chose to remain anonymous, which is common in the security community for various reasons including employment restrictions, personal safety, or simply preference.

Microsoft thanked the researcher through its coordinated disclosure process, and the company worked with the researcher to understand the vulnerability before releasing the advisory.

The Permanent Fix

Microsoft is working on a permanent fix for the exploited weakness in Exchange server XSS spoof. However, they do not yet have an estimated release date for this fix. Until there is a permanent fix available, users can use the Exchange Emergency Mitigation Service and a manual EOMT to protect their environment by manipulating URLs to block XSS from working.

Once the permanent patch is released, organizations should apply it as soon as possible and then remove the temporary mitigation to ensure full protection.

Final Thoughts

The Exchange Server XSS spoofing exploited vulnerability is another chapter in the long history of Exchange Server security issues, and on-premises Exchange remains a favorite target for attackers.

The Exchange Server XSS spoofing exploited flaw has already been detected in active attacks, meaning real threat actors are using it right now, and they are sending crafted emails to Exchange Server users.

Microsoft has provided a temporary mitigation through the Exchange Emergency Mitigation Service, and this is the fastest way for most organizations to protect themselves.

If you run on-premises Exchange Server, verify that the Emergency Mitigation Service is enabled, or run the manual mitigation script, and do not wait for the permanent patch because attackers are not waiting.

FAQ Section

What is CVE-2026-42897?

CVE-2026-42897 is an Exchange Server XSS spoofing exploited vulnerability with a CVSS score of 8.1, it affects on-premises Exchange Server 2016, 2019, and Subscription Edition, and Microsoft confirmed active exploitation in the wild.

Is Exchange Online affected by the Exchange Server XSS Spoofing Exploited Vulnerability?

Yes, According to Microsoft, Exchange Online Is Not Affected By Any Exchange Server XSS Spoofing Exploited Vulnerability; Only On-Premise Exchange Servers Will See Impactful Changes.

How does the Exchange Emergency Mitigation Service help?

The Exchange Emergency Mitigation Service provides automatic mitigation for the Exchange Server XSS spoofing exploited vulnerability via a URL rewrite configuration, it is enabled by default on most Exchange Server installations.

What actions should administrators take with air-gapped Exchange servers?

Air-gapped Exchange servers that are not able to make use of Emergency Mitigation Services (EMS) will need to utilize the Exchange On-Premises Mitigation Tool (EOMT) to run -CVE CVE-2026-42897 from an elevated Exchange Management Shell.

Does Microsoft have a permanent fix for the Exchange Server vulnerability?

Microsoft is working on a permanent fix for the Exchange Server XSS spoofing vulnerability but does not have a timeline as to when it will be available. Organizations need to use the temporary mitigation until the permanent fix has been made available.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067