CVE-2026-42897: Actively Exploited Exchange Server Zero-Day Demands Immediate Action

Microsoft has confirmed active exploitation of CVE-2026-42897, a critical cross-site scripting vulnerability in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript through a single crafted email opened in Outlook Web Access. With no permanent patch available yet, Saudi financial institutions running Exchange 2016, 2019, or Subscription Edition face an immediate risk that demands emergency mitigation.

Understanding CVE-2026-42897: XSS Through the Inbox

CVE-2026-42897 stems from improper neutralization of input during web page generation in Microsoft Exchange Server's Outlook Web Access (OWA) component. Assigned a CVSS score of 8.1, the vulnerability enables an unauthorized attacker to perform spoofing and execute arbitrary code over the network. The attack vector is deceptively simple: a threat actor sends a specially crafted email to any user within the organization. When the recipient opens the email in OWA and certain interaction conditions are met, malicious JavaScript executes within their authenticated browser session.

This is not theoretical—Microsoft's Threat Intelligence Center has confirmed active exploitation in the wild, though specific threat actor attribution and campaign details remain undisclosed. The affected versions include Exchange Server Subscription Edition RTM, Exchange Server 2019, and Exchange Server 2016. Exchange Online customers are not impacted, which creates a dangerous false sense of security for organizations running hybrid deployments where on-premises servers still handle sensitive mailboxes.

Why This Vulnerability Is Particularly Dangerous

XSS vulnerabilities in email platforms are uniquely weaponizable. Unlike traditional XSS on public-facing websites, an Exchange OWA XSS allows attackers to operate within an authenticated administrative context. Successful exploitation could enable session hijacking of administrator accounts, exfiltration of sensitive email content without triggering DLP controls, lateral movement through forged internal communications, and credential harvesting through convincing phishing overlays rendered within the trusted OWA interface.

The attack requires no prior authentication—only the ability to send an email to anyone in the organization. Combined with the fact that many Saudi financial institutions still rely heavily on on-premises Exchange for regulatory data residency requirements, this creates a perfect storm. Attackers targeting Gulf financial institutions know that these organizations often maintain on-premises mail infrastructure specifically because of SAMA data localization mandates, making them prime targets for Exchange-specific exploits.

Impact on Saudi Financial Institutions Under SAMA and NCA Frameworks

For organizations subject to SAMA's Cyber Security Framework (CSCC), CVE-2026-42897 directly challenges multiple control domains. The Threat Management domain (3.3) requires organizations to maintain vulnerability management programs that address zero-day threats within defined SLAs. The Access Control domain (3.4) is implicated because successful exploitation effectively bypasses authentication controls through session hijacking. Event Detection and Response (3.8) capabilities must be capable of identifying anomalous JavaScript execution within OWA sessions.

Under the NCA Essential Cybersecurity Controls (ECC), this vulnerability triggers requirements under AC-2 (Access Control Management), where stolen sessions represent unauthorized access, and under VM-1 (Vulnerability Management), which mandates timely application of vendor-provided mitigations. Organizations holding PCI-DSS certification must also consider Requirement 6.3.3, which demands addressing critical vulnerabilities within 30 days—though given active exploitation, immediate action is warranted regardless of compliance timelines.

Microsoft's Temporary Mitigations and Their Operational Impact

In the absence of a permanent security update, Microsoft has released Emergency Mitigation M2.1.x through the Exchange Emergency Mitigation Service (EM Service). Organizations with EM Service enabled should verify automatic application of this mitigation. However, administrators must be aware of documented side effects: OWA Print Calendar functionality becomes non-operational, inline images may not display correctly in recipients' OWA reading pane, and OWA Light mode (accessed via /?layout=light) experiences rendering issues.

For financial institutions where OWA is a primary access method for branch personnel or traveling executives, these side effects could disrupt business operations. Security teams must coordinate with business stakeholders to communicate expected degradation while emphasizing that the alternative—leaving the vulnerability unmitigated—is unacceptable given confirmed exploitation.

Recommended Actions and Hardening Steps

1. Verify Mitigation M2.1.x Deployment: Run Get-ExchangeServer | Get-MitigationsApplied to confirm the emergency mitigation is active on all on-premises Exchange servers. If EM Service is disabled, manually apply the mitigation following Microsoft's guidance on TechCommunity.
2. Enable Enhanced OWA Logging: Configure IIS request logging with full headers and response bodies for OWA virtual directories. Forward these logs to your SIEM to establish baseline behavior and detect anomalous JavaScript payloads in email rendering.
3. Implement Content Security Policy Headers: Add strict CSP headers to OWA virtual directories that restrict inline script execution. While this may cause some OWA functionality issues, it provides defense-in-depth against XSS exploitation.
4. Restrict OWA Access: Limit OWA access to managed devices through conditional access policies. Block external OWA access from unmanaged endpoints until the permanent patch is released. Consider deploying OWA behind a reverse proxy with WAF rules that inspect for XSS payloads.
5. Hunt for Compromise Indicators: Review Exchange transport logs for emails containing suspicious HTML/JavaScript constructs. Examine OWA session logs for unusual concurrent sessions or geographic anomalies that may indicate session hijacking.
6. Accelerate Cloud Migration Planning: Use this incident as a catalyst for executive discussions about migrating remaining on-premises Exchange workloads to Exchange Online, where Microsoft manages zero-day response at platform level. Factor SAMA data residency requirements into the migration architecture using Microsoft's Saudi Arabia datacenter regions.

Conclusion

CVE-2026-42897 represents exactly the type of zero-day scenario that SAMA's CSCC framework was designed to address—a critical vulnerability in widely deployed infrastructure being actively exploited before a permanent fix exists. Organizations that have invested in mature vulnerability management processes, segmented architectures, and rapid response capabilities will navigate this threat effectively. Those that haven't may already be compromised without knowing it.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and validate your Exchange infrastructure security posture against active threats.