"Microsoft has confirmed a vulnerability in on-premises Exchange Server that could result in surprise script execution in victims' browsers. Tracked as CVE-2026-42897, the flaw affects Outlook Web Access (OWA) and can be triggered by a specially crafted email opened in OWA, assuming " certain interaction conditions are met." The prize for attackers is arbitrary JavaScript execution in the mark's browser context."
"The advisory describes the flaw as a spoofing vulnerability stemming from cross-site scripting, which will set alarm bells ringing for administrators, and it appears the vulnerability is being exploited. The bug was assigned a CVSS score of 8.1. Exchange Server 2016, 2019, and the latest version, Exchange Server Subscription Edition (SE), are all affected regardless of their update level."
"A mitigation has been released via the Exchange Emergency Mitigation (EM) Service. However, Microsoft warned the mitigation might break other things - inline images might stop working in the recipient's OWA reading pane (use attachments instead) and the OWA Print Calendar functionality might not work (use a screenshot or the Outlook Desktop client). Finally, OWA Light might not work properly."
"The mitigation can also be applied manually in scenarios where customers are not using the EM service. These might be disconnected or air-gapped environments - exactly the sort of environments where on-premises Exchange tends to linger. Microsoft is working on a full security update, although only the Exchange SE version will be publicly available. Exchange 2016 and 2019 customers will receive it only if enrolled in Period 2 of the Exchange Server Extended Security Updates (ESU) program."
A vulnerability in on-premises Microsoft Exchange Server enables surprise script execution in victims’ browsers through Outlook Web Access. The issue, tracked as CVE-2026-42897, can be triggered when a specially crafted email is opened in OWA under certain interaction conditions. Successful exploitation allows arbitrary JavaScript execution in the browser context. The flaw is described as a spoofing vulnerability stemming from cross-site scripting and has been assigned a CVSS score of 8.1. Exchange Server 2016, 2019, and Exchange Server Subscription Edition are affected regardless of update level. An emergency mitigation is available via the Exchange Emergency Mitigation Service, but it may break inline images, OWA Print Calendar, and OWA Light. Manual mitigation is possible for disconnected or air-gapped environments. A full security update is in progress, with public availability expected only for Exchange SE and ESU Period 2 required for Exchange 2016 and 2019.
#on-premises-exchange #outlook-web-access-owa #cve-2026-42897 #cross-site-scripting #emergency-mitigation
Read at theregister
Unable to calculate read time
Collection
[
|
...
]