{"uuid": "55ae87e9-2b67-4cb0-81d4-f03fff1cd4c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42897", "type": "seen", "source": "https://gist.github.com/alon710/8bad0b0572ee5c15cbbf9928305712df", "content": "# CVE-2026-42897: CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42897\n\n## Summary\nCVE-2026-42897 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting the Outlook on the web (OWA) component of Microsoft Exchange Server. The flaw stems from improper neutralization of user-supplied input during web page generation. Discovered as a zero-day and actively exploited in the wild, the vulnerability allows unauthenticated attackers to execute arbitrary JavaScript within the security context of a targeted user's session, facilitating session hijacking and identity spoofing.\n\n## TL;DR\nActively exploited reflected XSS in Exchange Server OWA allows unauthenticated attackers to hijack authenticated sessions via crafted URLs. Microsoft released out-of-band updates and an IIS URL rewrite mitigation (EEMS M2) to address the flaw.\n\n## Exploit Status: ACTIVE\n\n## Technical Details\n\n- **CWE**: CWE-79\n- **Attack Vector**: Network\n- **CVSS Score**: 8.1\n- **Impact**: Session Hijacking / High Confidentiality & Integrity\n- **Exploit Status**: Actively Exploited\n- **KEV Status**: Listed\n\n## Affected Systems\n\n- Microsoft Exchange Server 2016\n- Microsoft Exchange Server 2019\n- Microsoft Exchange Server Subscription Edition\n- **Microsoft Exchange Server 2016**: <= Cumulative Update 23 (Fixed in: `Cumulative Update 23 May 2026 SU`)\n- **Microsoft Exchange Server 2019**: <= Cumulative Update 15 (Fixed in: `Cumulative Update 14/15 May 2026 SU`)\n- **Microsoft Exchange Server Subscription Edition**: RTM (Fixed in: `May 2026 SU`)\n\n## Mitigation\n\n- Apply the official out-of-band Security Updates (SUs) and Cumulative Updates (CUs) provided by Microsoft.\n- Ensure the Exchange Emergency Mitigation Service (EEMS) is active and has applied the M2 or M2.1 IIS URL Rewrite rule.\n- Monitor IIS logs for anomalous query strings, URL paths containing encoded script tags, and unexpected OWA access patterns.\n- Implement network-level Web Application Firewall (WAF) rules to detect and block common Cross-Site Scripting payload structures targeting Exchange endpoints.\n\n**Remediation Steps:**\n1. Download the appropriate Security Update or Cumulative Update for the installed version of Microsoft Exchange Server.\n2. Install the update on all internal and edge Exchange Server instances.\n3. Verify the installation of the EEMS M2 mitigation using the `Get-ExchangeServer` PowerShell cmdlet.\n4. Review IIS logs to identify any accounts that interacted with malicious URLs prior to the patch application.\n5. Revoke active sessions and enforce password resets for any compromised accounts.\n\n## References\n\n- [Microsoft Security Response Center (MSRC) Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897)\n- [Microsoft Learn - Exchange EM Service](https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-42897)\n- [Tenable CVE Database](https://www.tenable.com/cve/CVE-2026-42897)\n- [SecurityOnline Technical Report](https://securityonline.info/google-chrome-security-update-79-fixes-critical-vulnerabilities/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42897) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-15T07:20:29.000000Z"}