CVE-2026-42897: Why Your Exchange Zero-Day Mitigation Might Look Broken (But Isn't)
Another Exchange zero-day. If you're running on-premises Exchange, you probably felt that familiar dread when Microsoft dropped the advisory for CVE-2026-42897. It's a high-severity spoofing vulnerability, actively exploited, and it lets attackers run arbitrary code in Outlook on the web (OWA). The immediate problem isn't just the vulnerability itself, but the confusion around the mitigation: administrators are seeing messages that make them think the fix isn't working, even when it is.
I've seen the discussions on Reddit, especially on r/exchangeserver, where people are trying to figure out if EEMS actually applied the mitigation. That "invalid for this Exchange version" message is a real head-scratcher when you're trying to secure your environment at speed. Here's what's actually happening and how to be sure you're protected.
The Incident: Another OWA XSS in the Wild
Microsoft confirmed that CVE-2026-42897 is a high-severity spoofing vulnerability that allows cross-site scripting (XSS). This isn't theoretical; it's actively being exploited. The target is OWA users on up-to-date versions of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Exchange Online isn't affected, which is a small relief for those who've made the jump.
The Mechanism: How a Malicious Email Gets Code Running
The attack chain for CVE-2026-42897 is straightforward, which often makes it more dangerous. An attacker sends a specially crafted email. If a user opens that email in Outlook Web Access, and certain interaction conditions are met, arbitrary JavaScript can execute within the user's browser context.
Think about the implications of that: session hijacking, credential theft, or further client-side exploitation. It's a classic XSS scenario, but the fact that it's hitting Exchange OWA and is actively exploited makes it a priority.
The Impact: On-Premises Exposure and Patching Hurdles
If you're running Exchange Server 2016, 2019, or SE on-premises, your OWA users are exposed. The immediate risk is to confidentiality and integrity, as an attacker could manipulate data or steal information through the executed JavaScript.
The long-term fix, a permanent patch, isn't available yet. Microsoft plans to release updates for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. Here's the catch, and it's a big one: updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server ESU (Extended Security Update) program. If you're not on ESU, you're going to be stuck without a patch for this.
The Response: Mitigations, Verification, and the ESU Wall
Microsoft has pushed out immediate mitigations, which is good. They're coming through two channels: the Exchange Emergency Mitigation Service (EEMS) for automatic application, and the Exchange on-premises Mitigation Tool (EOMT) for manual application, especially in air-gapped environments.
Automatic Mitigation with EEMS
EEMS was introduced back in September 2021, after the ProxyLogon and ProxyShell zero-days. It runs as a Windows service on Exchange Mailbox servers and is automatically enabled on servers with that role. For EEMS to check for new mitigations, your server needs to be running an Exchange Server version newer than March 2023.
Here's the thing about EEMS and CVE-2026-42897: many admins are seeing a "cosmetic" issue where the mitigation might display as "invalid for this exchange version" even if it's successfully applied. This is where the Reddit discussions come in. You need to verify it yourself.
To check the status, you can use these PowerShell commands in an elevated Exchange Management Shell:
get-organizationconfig | ft mitigationsenabledget-exchangeserver | ft name, mitigationsenabled, mitigationsapplied
If mitigationsenabled is True and mitigationsapplied shows CVE-2026-42897, you're likely good, even with the "invalid" message. Trust the PowerShell output over the potentially misleading UI.
Manual Mitigation with EOMT
For air-gapped environments, or if you just prefer manual control, the Exchange on-premises Mitigation Tool (EOMT) is your friend. Download the latest EOMT version and apply the mitigation via an elevated Exchange Management Shell (EMS).
- For a single server:
.\EOMT.ps1 -CVE "CVE-2026-42897" - For all servers (excluding Edge):
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
Known Issues with the Mitigation
Applying the mitigation isn't without its quirks. Microsoft notes a few known issues:
- OWA Print Calendar functionality might not work. You can copy data, take a screenshot, or use the Outlook Desktop client instead.
- Inline images might not display correctly in recipients' OWA reading pane. Send images as attachments or use the Outlook Desktop client.
- OWA light (the URL ending in
/?layout=light) doesn't work properly. This feature was deprecated years ago, so it's less of a concern.
These are mostly cosmetic or minor functional impacts. They're a small price to pay for blocking an active zero-day.
My Take: Verify Everything, and Get on ESU
The immediate priority is to apply the mitigations and, critically, verify their successful application using the PowerShell commands. Don't let a "cosmetic" error message give you a false sense of insecurity. Trust your command line.
Beyond that, if you're still running Exchange 2016 or 2019 and not on the ESU program, this zero-day should be a wake-up call. The fact that permanent patches for these versions will be ESU-gated means you're going to be increasingly vulnerable to future exploits. CISA and the NSA have been pushing guidance to harden Exchange servers for a reason; 19 Exchange vulnerabilities have been added to CISA's actively exploited list in the last five years, with 14 also abused in ransomware. That's a trend you don't want to be on the wrong side of.
Get on ESU, or accelerate your migration plans. The cost of not doing so is only going to climb.
