Microsoft Exchange Zero-Day CVE-2026-42897 Is Being Actively Exploited: CISA Deadline Is Today

A zero-day XSS flaw in Microsoft Exchange OWA, CVE-2026-42897 with CVSS 8.1, is being actively exploited. No permanent patch exists. The CISA federal remediation deadline falls today. On-premises Exchange administrators must act now.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region5 min read
Server rack with warning indicator in a dark data centre representing the active exploitation of Microsoft Exchange CVE-2026-42897 zero-day

Server rack with warning indicator in a dark data centre representing the active exploitation of Microsoft Exchange CVE-2026-42897 zero-day

A zero-day that begins in the inbox

Microsoft has confirmed active exploitation of CVE-2026-42897, a zero-day vulnerability in the Outlook Web Access component of on-premises Exchange Server. The flaw carries a CVSS score of 8.1 and affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. No permanent patch exists. The US Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalogue on 15 May 2026 and set a federal remediation deadline of 29 May 2026, which is today.

The attack chain requires no credentials and no server access. A threat actor sends a specially crafted email to a target. When the recipient opens that email in OWA under certain interaction conditions, arbitrary JavaScript executes inside the victim's browser session. The attack path does not begin with a network intrusion. It begins with an inbox.

What exploitation actually delivers

The consequences extend well beyond a single browser session. According to analysis published by the Centre for Cybersecurity Belgium, successful exploitation results in session token capture, identity spoofing, unauthorised mailbox access, and the ability to modify email content and settings.

Captured session tokens can then be used to pivot into other Microsoft 365 services tied to the same identity, including SharePoint, Teams, and cloud storage, without triggering a fresh authentication challenge. The attacker effectively inherits the victim's authenticated identity across the Microsoft 365 estate without needing credentials of their own. A single crafted email, if opened at the wrong moment, can hand an attacker silent access to the full breadth of a corporate Microsoft 365 environment.

The vulnerability was disclosed on 14 May 2026, two days after May's Patch Tuesday, which had already addressed 138 separate vulnerabilities. Active exploitation was confirmed by Microsoft on the same day as disclosure. CISA added it to the KEV catalogue within 24 hours, a pace reserved for flaws where the threat to enterprise environments is considered immediate.

No permanent patch: what to do now

Microsoft has deployed a temporary fix through its Exchange Emergency Mitigation Service, labelled M2.1.x. The EEMS pushes a URL rewrite configuration automatically to Exchange Mailbox servers where the service is enabled, which it is by default on supported Exchange builds. Microsoft has stated explicitly that enabling EEMS is the best immediate action available. Administrators with EEMS currently disabled should enable it without delay.

Administrators can verify whether the mitigation has been applied using the Exchange Health Checker script, available from aka.ms/ExchangeHealthChecker. Exchange Online and Microsoft 365 cloud-hosted environments are not affected. The vulnerability is specific to on-premises Exchange Server deployments only.

Microsoft has not disclosed the identity of the threat actors behind the current exploitation activity, the scale of confirmed attacks, or the specific sectors being targeted. The absence of attribution detail does not reduce the urgency. Confirmed active exploitation in the wild, combined with the CISA KEV listing, is sufficient basis to treat this as a priority incident regardless of sector.

Why this matters for GCC enterprise environments

Exchange Server zero-days carry particular weight for enterprise environments across the UAE and the wider Gulf. On-premises Exchange deployments remain common across government-adjacent entities, financial services organisations, healthcare providers, and enterprises with data residency requirements that have delayed cloud migration. As covered in the GCC cybersecurity 2026 risk overview, cloud migration across the region is accelerating but uneven, and organisations that have not yet completed the transition to Exchange Online remain directly exposed.

The attack chain is particularly concerning in the GCC context because it begins with email and does not require the attacker to hold any credentials. The email delivery vector is especially effective where organisations have not yet fully deployed phishing-resistant authentication. As documented in the analysis of why push-based MFA is no longer sufficient, the shift to credential-resistant authentication is underway but not complete across most Gulf enterprises. In that gap, an OWA-based session token attack is a credible path to a wider breach.

The UAE Cyber Security Council has confirmed that the country is currently absorbing between 600,000 and 800,000 breach attempts per day, with the attack mix shifting from opportunistic denial of service toward targeted intrusion attempts. CVE-2026-42897 provides exactly the kind of low-noise, high-value entry point that sophisticated actors operating at this volume are positioned to exploit.

The broader Exchange pattern

CISA has added 19 Microsoft Exchange Server vulnerabilities to its KEV catalogue over the past five years. Fourteen of those were subsequently abused in ransomware attacks. Exchange zero-days are attractive to ransomware operators because they provide authenticated access to corporate communications infrastructure, enabling reconnaissance, lateral movement, and credential harvesting before any payload is deployed.

The pattern of state-linked actors targeting enterprise email infrastructure is well established across the MENA region. The current exploitation activity on CVE-2026-42897 has not been attributed, but the historical profile of Exchange zero-day exploitation suggests that both financially motivated and nation-state actors are likely to be involved. For GCC security teams, the KPMG 2026 cybersecurity priorities for GCC CISOs identifies incident response capability as a primary gap across regional enterprises. A session token compromise originating from OWA, if not detected and contained within hours, can provide an attacker with extended dwell time across the Microsoft 365 estate before any alert surfaces.

Immediate actions for Exchange administrators

Security teams managing on-premises Exchange should take the following steps without delay.

Verify that the Exchange Emergency Mitigation Service is enabled and that the M2.1.x URL rewrite mitigation has been applied, using the Exchange Health Checker script. Audit all OWA-facing on-premises Exchange servers for their exposure scope. Review email security gateway logs for evidence of crafted email delivery consistent with CVE-2026-42897 exploitation patterns. Monitor for anomalous session token usage across Microsoft 365 services, with attention to access patterns from accounts that do not ordinarily access SharePoint or Teams.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Vulnerability DisclosureMicrosoft Exchange SecurityZero-Day Exploits 2026CISA KEVEnterprise Email SecurityGCC Incident Response