Exploited in the Wild: Critical OWA Spoofing Flaw (CVE-2026-42897) Hits On-Premises Exchange Servers

Microsoft has issued an urgent warning for organizations running on-premises email infrastructure. A newly disclosed vulnerability in Outlook Web Access (OWA) is being actively hunted in the wild, allowing attackers to execute malicious code through nothing more than a specially crafted email.

The flaw, tracked as CVE-2026-42897 (CVSS 8.1), represents a significant threat to corporate security because it targets the browser context of the end-user.

According to the Exchange Team, this is a Microsoft Exchange Server Spoofing Vulnerability that hinges on user interaction within a web browser. The mechanism of the attack is deceptively simple: “An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context”.

Most alarmingly, this isn’t just a theoretical risk. Microsoft has confirmed that this flaw has been exploited in the wild, meaning threat actors are already using it to bypass security controls.

The vulnerability impacts several generations of on-premises servers:

• Exchange Server 2016 (Any update level)
• Exchange Server 2019 (Any update level)
• Exchange Server Subscription Edition (SE) (Any update level)

In a bit of good news for cloud-first organizations, Exchange Online is not impacted by this specific vulnerability.

Because a permanent security update is still under development, Microsoft is leveraging its Emergency Mitigation (EM) Service to protect servers immediately.

• Option 1: Automatic Shielding
  For the vast majority of users who have the EM Service enabled (it has been on by default since 2021), the defense is already live. Microsoft noted: “The mitigation is already published and is enabled automatically”. Administrators can verify this by checking for mitigation ID M2.1.x.
• Option 2: The Manual Path
  For air-gapped or disconnected environments, admins must use the Exchange on-premises Mitigation Tool (EOMT) script to manually apply the fix across their server fleet.

Applying the mitigation—while necessary—does come with some “cosmetic” and functional quirks:

• Functionality Loss: OWA’s “Print Calendar” feature may break, and inline images might fail to display correctly.
• Visual Bugs: Some admins may see a “Mitigation invalid for this exchange version” message in the details.
• Microsoft assures users that “this issue is cosmetic and the mitigation DOES apply successfully if the status is shown as ‘Applied'”.

While the current mitigations are effective, they are temporary. Microsoft is working on a permanent fix. However, there is a catch for older systems: updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Extended Security Update (ESU) program.

If your organization is still on Period 1 ESU, you are out of luck—that program ended in April 2026, meaning your path to a permanent fix requires an immediate upgrade to a supported version.