CVE-2026-42897: Exchange Server Zero-Day Turns Your Inbox Into an Attack Surface

Microsoft has confirmed active exploitation of CVE-2026-42897, a zero-day cross-site scripting vulnerability in on-premise Exchange Server that lets attackers hijack mailbox sessions through a single crafted email opened in Outlook Web Access. With no patch available yet and CISA mandating remediation by May 29, every organization still running on-prem Exchange — including Saudi financial institutions bound by SAMA CSCC — faces immediate risk.

How CVE-2026-42897 Works: XSS Through the Inbox

CVE-2026-42897 carries a CVSS score of 8.1 and targets the Outlook Web Access (OWA) component of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). The attack vector is deceptively simple: an adversary sends a specially crafted email containing malicious JavaScript. When a victim opens or previews that message in OWA, the script executes within the authenticated browser session — no clicks on links or attachments required beyond viewing the email itself.

Successful exploitation grants the attacker access to the victim's session tokens, full mailbox contents, and the ability to silently modify mailbox rules, forwarding settings, and even email content in transit. This is not a theoretical risk — Microsoft acknowledged active exploitation in the wild within hours of disclosure, though the company has not attributed the campaigns to a specific threat actor or named any targeted organizations.

Why On-Prem Exchange Remains a High-Value Target

Despite Microsoft's push toward Exchange Online, thousands of organizations globally — and a significant number in the GCC region — continue operating on-premise Exchange infrastructure. The reasons range from data sovereignty requirements and regulatory mandates to legacy integration dependencies. Attackers know this, and Exchange Server has consistently appeared in the CISA Known Exploited Vulnerabilities (KEV) catalog. ProxyLogon (CVE-2021-26855), ProxyShell, and ProxyNotShell all demonstrated how devastating Exchange zero-days can be. CVE-2026-42897 follows the same pattern: a pre-authentication or low-interaction flaw that scales easily across the internet.

What makes this vulnerability particularly dangerous is the attack surface. OWA is by design exposed to the internet, and the exploitation payload arrives through the most trusted channel in enterprise communication — email. Security teams accustomed to blocking malicious attachments and URLs now face a threat embedded in the HTML rendering pipeline of the email client itself.

Impact on Saudi Financial Institutions and SAMA-Regulated Entities

Saudi banks, insurance companies, and fintech firms operating under the SAMA Cyber Security and Compliance Charter (CSCC) are required to maintain strict controls over email infrastructure security. SAMA CSCC Domain 3 (Technology Operations Management) and Domain 4 (Third-Party and Information Sharing) both mandate timely vulnerability management and continuous monitoring of internet-facing services. An unpatched Exchange Server exposed to CVE-2026-42897 creates a direct compliance gap.

The NCA Essential Cybersecurity Controls (ECC) reinforce this through ECC-2:2 (Vulnerability Management) and ECC-3:1 (Email Security), which require organizations to apply security patches within defined SLAs and implement protections against email-borne threats. Furthermore, if an attacker leverages this XSS flaw to access mailboxes containing customer financial data, the breach triggers PDPL notification obligations under Articles 19 and 20 of the Saudi Personal Data Protection Law.

For institutions running hybrid Exchange deployments — common in the Saudi financial sector where some mailboxes remain on-prem while others migrate to Microsoft 365 — the risk is compounded. A compromised on-prem OWA session can serve as a pivot point to harvest credentials and tokens that provide access to cloud-connected resources.

Current Mitigation: What Microsoft Recommends

Microsoft has not released a formal patch for CVE-2026-42897 as of May 21, 2026. Instead, the company is relying on the Exchange Emergency Mitigation (EM) Service to deploy an interim mitigation automatically. If your Exchange Server has the EM Service enabled — which is the default configuration since the September 2021 Cumulative Update — the mitigation should already be in place. However, several conditions can silently break EM Service functionality: outbound connectivity restrictions to Microsoft endpoints, disabled IIS URL Rewrite modules, or custom transport rules that interfere with mitigation deployment.

CISA has added CVE-2026-42897 to its KEV catalog with a federal remediation deadline of May 29, 2026. While CISA mandates apply to U.S. federal agencies, Saudi organizations aligned with NCA and SAMA frameworks should treat this timeline as a benchmark — not a suggestion.

Actionable Steps for Your Security Team

1. Verify EM Service status immediately. Run Get-ExchangeServer | Format-List Name,MitigationsEnabled,MitigationsApplied in Exchange Management Shell. If MitigationsEnabled is False or MitigationsApplied is empty, your servers are unprotected. Re-enable EM Service and confirm outbound HTTPS connectivity to officeclient.microsoft.com.
2. Audit OWA exposure. Enumerate all Exchange servers with OWA published to the internet. If OWA access is not a business requirement, restrict it to VPN or Zero Trust Network Access (ZTNA) immediately. For servers that must remain accessible, enforce Conditional Access policies requiring MFA and compliant devices.
3. Deploy Content Security Policy headers. Add restrictive CSP headers to OWA virtual directories to reduce the impact of XSS exploitation. Set script-src 'self' and disable inline script execution where possible.
4. Hunt for indicators of compromise. Review IIS logs on Exchange servers for anomalous OWA requests, particularly those with unusually long query strings or encoded JavaScript payloads. Check mailbox rules and forwarding configurations for unauthorized changes using Get-InboxRule and Get-TransportRule across all mailboxes.
5. Accelerate migration planning. If your organization is still running Exchange 2016 or 2019, this zero-day is another data point reinforcing the urgency of migrating to Exchange Online or Exchange Server SE with current cumulative updates. Build a business case that maps migration milestones to SAMA CSCC compliance requirements.
6. Brief your CISO and compliance team. Document the vulnerability, your current mitigation status, and residual risk in a memo that maps directly to SAMA CSCC Domain 3 and NCA ECC-2:2 controls. Regulators increasingly expect evidence of proactive vulnerability response, not just reactive patching.

Conclusion

CVE-2026-42897 is a stark reminder that on-premise Exchange Server remains one of the most targeted assets in enterprise infrastructure. The combination of an unpatched zero-day, active exploitation, and the inherent internet exposure of OWA creates a risk profile that demands immediate action — not waiting for Patch Tuesday. For Saudi financial institutions, the regulatory stakes amplify the technical urgency: a compromised Exchange environment is simultaneously a security incident and a compliance violation under SAMA CSCC, NCA ECC, and PDPL.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your Exchange Server security posture.