CVE-2026-42897 is a Microsoft Exchange Server zero-day actively exploited before its public disclosure. Microsoft Security Response Center (MSRC) documented it as a combined spoofing and Cross-Site Scripting (XSS) flaw affecting Microsoft Exchange Server Subscription Edition (SE), Exchange Server 2019 and Exchange Server 2016. The product is still the mail engine of thousands of European regulated organisations (banking, healthcare, public administration, NIS2-subject industries), so any Exchange zero-day has immediate operational impact and top priority in any vulnerability management programme.
This Secra advisory summarises the technical nature of the flaw, affected products, mitigation recommendations, European regulatory fit and how to identify signs of pre-patch exploitation.
Key takeaways on CVE-2026-42897
- Microsoft Exchange Server zero-day: combined spoofing and XSS.
- Affected products: Exchange Server Subscription Edition (SE), 2019 and 2016.
- Active exploitation confirmed before public publication of the Microsoft advisory.
- Allows deceiving internal users and executing JavaScript in the Outlook on the Web client context.
- Mitigation: apply the matching Microsoft Patch Tuesday update and reinforce Exchange segmentation.
What CVE-2026-42897 is
CVE-2026-42897 is a security flaw documented by Microsoft Security Response Center combining two classic vectors in a single exploitable chain: spoofing (impersonation) and Cross-Site Scripting (XSS) in Exchange Server web components.
In practice, this means an attacker can craft a message or request appearing to come from a legitimate source (spoofing) and simultaneously execute JavaScript in the victim user's browser when they interact with the Exchange web interface (OWA, Outlook on the Web). The combination is dangerous because it bypasses controls that would individually suffice to detect either vector.
Typical impact of successful exploitation includes:
- Outlook session credential theft
- Unauthorised reading of the victim user's emails
- Pivot to other internal victims through Exchange
- In more sophisticated chains, escalation toward server compromise itself
Affected products
Per the initial Microsoft Security Response Center advisory:
| Product | Status |
|---|---|
| Exchange Server Subscription Edition (SE) | Affected, requires patch |
| Exchange Server 2019 | Affected, requires patch (applicable Cumulative Update) |
| Exchange Server 2016 | Affected, requires patch (applicable Cumulative Update) |
| Exchange Online (Microsoft 365) | Not affected, server-side mitigation by Microsoft |
Microsoft Exchange Server 2013 has been out of support for some time: if an organisation still runs that version, the risk is structural and extends far beyond this specific CVE.
Active exploitation: context and priority
Microsoft confirmed in-the-wild exploitation activity before publishing the advisory. This fits the historical Exchange zero-day pattern (ProxyLogon in 2021, ProxyShell in 2021, several in 2024 and 2025): advanced actors exploit Exchange vulnerabilities before the official patch because the product is a high-value target (corporate mail of diplomatic, financial and defence targets).
Organisations with Exchange on-premise exposed to the Internet must assume they are in scope until verified otherwise, especially if:
- The server is Internet-accessible (OWA, ECP, EWS open)
- Latest Cumulative Updates have not been applied
- There is no segmentation isolating Exchange from the rest of the environment
Recommended mitigations
Action one: patch with the official Microsoft update
Apply the update indicated in the corresponding MSRC advisory. Microsoft publishes patches aligned with the Patch Tuesday cycle, but under active exploitation there may be out-of-band releases. Verify the exact KB for each deployed Exchange version.
Action two: reduce exposure surface
While completing the patch rollout:
- Limit external access to OWA, ECP and EWS from the Internet to corporate IP ranges or VPN
- Enable Exchange Emergency Mitigation Service (EM service) if available in the deployed version
- Review Conditional Access policies and MFA applied to Exchange access
Action three: retrospective hunting
Look for pre-exploitation indicators:
- Unusual child processes of
w3wp.exe(especially PowerShell, cmd, ASPX webshells) - New files in
\inetpub\wwwroot\aspnet_client\or Exchange subdirectories - IIS logs with malformed requests to OWA, ECP, EWS, MAPI or autodiscover endpoints
- Unusual growth in transport rules, mailbox forwarding rules or delegations
Action four: review credentials and active sessions
If compromise is suspected:
- Invalidate all active OWA sessions
- Force credential rotation for privileged users
- Review Application Impersonation and permissions over critical mailboxes
Action five: regulatory notification if applicable
Under NIS2 (article 23) and GDPR (article 33), notify the competent authority within applicable timelines if evidence of actual compromise with impact on essential services or personal data is detected.
Fit with NIS2 and DORA
Exchange on-premise is typically a critical service in scope of:
- NIS2 article 21.2(b): incident management with 24h/72h/1mo notification timelines
- NIS2 article 21.2(d): business continuity and crisis management
- DORA article 17: ICT incident management with specific timelines for financial entities
- ISO 27001:2022 control A.8.8: technical vulnerability management
An Exchange zero-day under active exploitation is exactly the scenario these articles contemplate. Operational response capacity is measured in hours, not days.
Why Exchange remains a priority target
Three reasons that hold in 2026:
- High-value data. Corporate mail concentrates sensitive information: contracts, strategic plans, personal data, temporary credentials. Compromising an executive mailbox equals access to the whole organisation.
- Heterogeneous on-premise deployment. Despite the majority migration to Exchange Online, many regulated organisations keep Exchange on-premise for data sovereignty constraints or legacy integration. Each deployment adds attack surface.
- Track record of successful zero-days. ProxyLogon, ProxyShell, OWASSRF and others have shown Exchange is a profitable exploit vector for advanced actors (state APTs, enterprise ransomware). The pattern continues.
Frequently asked questions
Is Exchange Online affected?
Not directly. Microsoft applies server-side mitigations to all Microsoft 365 tenants without requiring customer action. The vulnerability affects on-premise deployments.
How long does Microsoft take to publish a patch after detecting exploitation?
Variable. In documented active exploitation scenarios, Microsoft accelerates out-of-band releases, sometimes in hours or days after detecting the activity. Defensive practice is to keep Exchange at the most recent Cumulative Update to reduce exposure window.
Does detecting published IoCs guarantee absence of compromise?
No. Absence of known IoCs does not imply absence of compromise. Advanced actors modify TTPs specifically to avoid public signatures. Active threat hunting with broad hypotheses is necessary in zero-day scenarios.
Is a WAF in front of Exchange enough?
It helps but is not enough. A WAF can block certain known patterns but zero-days, by definition, evade signatures. Real defence combines fast patching, segmentation, active monitoring and incident response.
Should my organisation notify the incident under NIS2?
Depends on incident classification. If there is evidence of compromise with significant impact on essential services or personal data, yes. Classification is the CISO/DPO responsibility with legal advice.
What about backups of potentially compromised mailboxes?
Keep them in quarantine for forensic analysis. Backup restoration must start from a point verifiably prior to compromise, not any recent backup.
Related resources
- What is a CVE: how a CVE like CVE-2026-42897 gets referenced.
- What is an exploit: vulnerability vs exploit with historical Exchange examples.
- What is a SOC: how the SOC detects and responds to Exchange zero-day exploitation.
- What is SAML: identity integration relevant to Exchange hardening.
- NIS2 audit step by step: incident notification process under NIS2.
Threat hunting and response with Secra
Secra publishes its own CVE research (among others, CVE-2025-40652 in CoverManager and CVE-2023-3512 in Setelsa ConacWin CB) coordinated with INCIBE-CERT and NVD. The same methodology we apply when discovering vulnerabilities is what we use to validate exposure to external zero-days like CVE-2026-42897 on the client side.
We offer technical validation for organisations with Exchange on-premise exposed: retrospective hunting in IIS and Exchange logs, applied patch validation, post-patch internal pentesting to verify mitigation effectiveness and, if needed, DFIR intervention upon evidence of compromise. ProxyLogon/ProxyShell-class hunting in hours, not days. Get in touch through contact or explore our managed cybersecurity services.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.