CVE-2026-42897 Exchange Server Zero-Day — No Patch, Active Exploitation, EEMS Is Your Only Option Right Now — How Are You Handling This?
Posted by Expert_Sort7434@reddit | linuxadmin | View on Reddit | 3 comments
Hey everyone,
Just wanted to kick off a discussion because I think a lot of sysadmins are going to be scrambling on this one.
Microsoft confirmed active exploitation of CVE-2026-42897 — a cross-site scripting zero-day in Exchange Server's Outlook Web Access (OWA) component. The attack vector is genuinely simple: attacker sends a crafted email, victim opens it in OWA, arbitrary JavaScript runs in their browser session. That's the exploit. No credential stuffing, no lateral movement required to initiate.
Affected: Exchange Server 2016 CU23, 2019 CU14/CU15, and SE RTM. Exchange Online is NOT affected.
**The patch situation is messy:**
- No permanent patch exists yet
- EEMS auto-mitigation deployed May 14 (should have applied automatically if EEMS is enabled)
- Manual mitigation: run `.\EOMT.ps1 -CVE "CVE-2026-42897"` from elevated Exchange Management Shell
- Exchange 2016/2019 customers need Period 2 ESU enrollment to receive the permanent patch when it drops
- CISA KEV listed — federal agencies must remediate by May 29
**The tradeoffs with the mitigation:**
- OWA Print Calendar breaks
- Inline images in OWA reading pane won't display
- OWA Light mode also affected (though that should already be deprecated in your environment)
This feels like déjà vu from the ProxyLogon/ProxyShell days, and honestly I'm surprised more people aren't talking about this given that 14 of the 19 Exchange CVEs in CISA's KEV catalog were later weaponized in ransomware attacks.
**My questions for the community:**
- How quickly was EEMS mitigation confirmed in your environments?
- Anyone in the r/sysadmin crowd still not enrolled in Period 2 ESU for 2016/2019? How are you handling the patching gap?
- Has anyone seen detection hits in IIS logs suggesting pre-disclosure exploitation?
I wrote a more detailed technical breakdown including the full attack chain visualization and step-by-step mitigation here if you want more background: https://www.techgines.com/post/microsoft-exchange-server-zero-day-cve-2026-42897-owa-xss-exploit
And for context — this is the second critical mail server vulnerability this week. We covered the Exim CVE-2026-45185 (Dead.Letter) RCE three days ago here: https://www.techgines.com/post/dead-letter-exim-cve-2026-45185-a-critical-unauthenticated-rce-is-hiding-inside-your-gnutls-mail
If you're running a hybrid environment with Exim relay + on-prem Exchange, you've had a rough week.
h4ck3r_n4m3@reddit
Handling it by not running Windows with Exchange
arkham1010@reddit
Uhh, how much does exchange run on Linux?
shokzee@reddit
Don't run this from a blog post. Confirm the advisory, verify the mitigation is actually present on every mail server, and restrict webmail exposure until there's a real fix.
For detection, check web request logs around the first public date for encoded payloads, odd user agents, and mailbox-specific spikes. Broken images are annoying. Browser-session XSS in webmail is worse.