Microsoft Exchange Server has a new actively exploited zero-day that turns a single crafted email into a JavaScript execution engine inside a victim’s browser — and it is already in CISA’s Known Exploited Vulnerabilities catalog.
What Happened
On May 14, 2026, Microsoft disclosed CVE-2026-42897, a spoofing vulnerability rooted in a cross-site scripting flaw in Outlook Web Access (OWA) affecting on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Exchange Online is not affected.
The attack requires no credentials. An attacker sends a crafted email to a target; when the target opens the message in OWA under specific interaction conditions, arbitrary JavaScript executes in the context of the victim’s browser session. This can be used to steal session cookies, exfiltrate data displayed in the browser, redirect users, or pivot to further attacks against the same session. The CVSS score is 8.1.
Microsoft confirmed active exploitation in the wild and released an automatic mitigation for organizations running the Exchange Emergency Mitigation Service (EEMS). CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, setting a federal remediation deadline. Microsoft’s security advisory describes the interaction conditions as requiring the email to be opened in OWA — desktop Outlook clients are not the primary attack surface.
Why This Matters for Canadian Organizations
On-premises Exchange Server remains widely deployed across Canadian federal departments, provincial governments, healthcare systems, financial institutions, and mid-market enterprises — particularly in regulated sectors where cloud migration has been slow due to data residency and sovereignty concerns. OWA is a standard interface for remote email access at many of these organizations.
The attack vector is low friction: a phishing email followed by a recipient clicking into OWA. No vulnerability in the victim’s client software is required beyond the Exchange Server flaw itself. Organizations with Exchange in scope of critical services — including those handling personal health information, financial records, or government communications — face an elevated risk of session hijacking and account compromise following exploitation.
Under PIPEDA, unauthorized access to email accounts constitutes a breach of personal information if messages contain data about identifiable individuals. Provincial health privacy laws such as PHIPA in Ontario apply similar obligations. Canadian organizations running on-premises Exchange that delay remediation without compensating controls face both security and regulatory exposure. CCCS has historically issued advisories aligned with CISA KEV additions for Microsoft products given their pervasiveness in Canadian infrastructure.
What to Do
Enable the Exchange Emergency Mitigation Service if not already active — Microsoft deployed an automatic mitigation through EEMS that reduces the attack surface while a full patch is prepared. Verify EEMS is enabled and has fetched the mitigation from Microsoft’s Office Configuration Service. Identify all on-premises Exchange servers in your environment and confirm versions: Exchange Server 2016, 2019, and SE are all affected at all cumulative update levels. Restrict OWA access to VPN or zero-trust network perimeters where operationally feasible. Review Exchange server and OWA logs for anomalous JavaScript execution indicators or unusual session activity. Monitor Microsoft’s Security Update Guide for the permanent patch. FCEB agencies face a formal KEV remediation deadline — Canadian federal departments should treat this on the same timeline given their Exchange Server footprints.
Source: The Hacker News | SecurityWeek
