CVE-2026-42897: Actively Exploited Exchange Server Zero-Day Hits On-Prem Email with No Patch Available

Microsoft confirmed on May 14 that attackers are actively exploiting a zero-day vulnerability in on-premises Exchange Server — and there is no security patch available yet. CVE-2026-42897, a cross-site scripting flaw in Outlook Web Access (OWA), lets threat actors execute arbitrary JavaScript in a victim's browser through a single crafted email. For Saudi financial institutions still running on-prem Exchange, this is a direct threat to credential security, session integrity, and regulatory compliance.

How CVE-2026-42897 Works: XSS Through a Crafted Email

CVE-2026-42897 carries a CVSS score of 8.1 and stems from improper input neutralization during web page generation within Exchange's OWA component. The attack chain is deceptively simple: a threat actor sends a specially crafted email to a target. When the recipient opens that email in Outlook Web Access and certain interaction conditions are met, malicious JavaScript executes directly in the browser context under the OWA session. This gives the attacker the ability to steal session cookies, harvest credentials, redirect users to phishing pages, or pivot deeper into the organization's infrastructure — all without triggering traditional endpoint detection.

Affected Versions and Scope of Exposure

The vulnerability impacts Exchange Server 2016, Exchange Server 2019, and the newer Exchange Server Subscription Edition. Exchange Online (Microsoft 365) is explicitly not affected, which creates a sharp risk divide between organizations that have migrated to the cloud and those still operating on-premises mail infrastructure. Across the Saudi financial sector, many institutions — particularly mid-tier banks, insurance companies, and fintech firms — continue to run on-premises Exchange for data sovereignty reasons or because of legacy integration dependencies. Every one of these deployments is now a live target.

Active Exploitation Confirmed — No Patch Yet

What makes CVE-2026-42897 particularly dangerous is the combination of confirmed wild exploitation and the absence of a security update. Microsoft has acknowledged active attacks and released an Emergency Mitigation (EM) through the Exchange Emergency Mitigation Service (EEMS), which is distributed and applied automatically on servers where EEMS is enabled. However, administrators who have disabled EEMS or are running older cumulative updates that predate the EM service must apply the mitigation manually. Known side effects of the mitigation include broken OWA Print Calendar functionality and inline images failing to render correctly in the recipient's OWA reading pane — operational disruptions that some organizations may hesitate to accept during business hours.

Why This Matters for Saudi Financial Institutions

Under the SAMA Cybersecurity Framework (CSCC), financial institutions are required to maintain robust vulnerability management programs (Domain 3.3.4) with defined SLAs for patching critical and high-severity vulnerabilities. A zero-day under active exploitation with no available patch creates a compliance gray zone: the vulnerability exists, the threat is real, but the standard remediation path — patching — is not yet possible. SAMA expects compensating controls in such scenarios, and the NCA Essential Cybersecurity Controls (ECC) reinforce this through requirements for continuous monitoring and incident response readiness. Institutions that fail to apply the available mitigation or implement compensating controls are exposed not only to the technical exploit but to regulatory scrutiny during the next assessment cycle.

Additionally, OWA is frequently the external-facing email access point for traveling executives, remote employees, and third-party contractors. A successful XSS attack against an OWA session could compromise privileged mailboxes — including those of compliance officers, board members, and treasury teams — yielding sensitive data subject to PDPL (Personal Data Protection Law) obligations.

Immediate Actions and Compensating Controls

1. Verify EEMS status immediately. Confirm that Exchange Emergency Mitigation Service is enabled and that mitigation M2 for CVE-2026-42897 has been applied automatically. If EEMS is disabled, apply the mitigation manually following Microsoft's guidance on the Exchange Team Blog.
2. Restrict OWA external access. If your organization exposes OWA to the internet, consider placing it behind a reverse proxy with Web Application Firewall (WAF) rules that inspect and sanitize email rendering requests. Alternatively, restrict OWA access to VPN-connected sessions only until the patch is released.
3. Enable browser isolation for OWA users. Deploy browser isolation technology for users accessing OWA, which contains any JavaScript execution within a sandboxed environment and prevents session token theft from reaching the attacker's infrastructure.
4. Monitor for indicators of compromise. Inspect OWA IIS logs for unusual JavaScript payloads, unexpected redirects, or anomalous session behavior. Cross-reference with SIEM alerts for credential harvesting patterns or lateral movement originating from mail server segments.
5. Accelerate cloud migration planning. Exchange Online is not affected by CVE-2026-42897. Organizations still running on-premises Exchange should treat this zero-day as another data point in the risk calculus for cloud migration, particularly given the recurring pattern of Exchange Server zero-days over the past five years — from ProxyLogon and ProxyShell to this latest exploit.
6. Document compensating controls for SAMA compliance. Record all mitigations applied, the timeline of implementation, and the risk acceptance decision in your vulnerability management register. This documentation is critical for demonstrating due diligence during SAMA CSCC assessments and NCA ECC audits.

The Recurring Pattern: Exchange Server as a Persistent Attack Surface

CVE-2026-42897 is not an isolated incident. On-premises Exchange Server has been one of the most consistently targeted enterprise assets since the ProxyLogon attacks of 2021. The pattern is clear: Exchange's large attack surface, its exposure to the internet through OWA and ActiveSync, and the complexity of its update cycle make it a favorite target for both nation-state actors and financially motivated threat groups. For organizations in SAMA-regulated sectors, the risk equation increasingly favors migration to Exchange Online or a hardened hybrid architecture with minimal on-premises footprint.

Conclusion

CVE-2026-42897 is a live, actively exploited zero-day with no patch — a scenario that demands immediate action, not waiting. Saudi financial institutions running on-premises Exchange must verify their mitigation status today, restrict OWA exposure, and strengthen monitoring around their mail infrastructure. The regulatory expectation under SAMA CSCC and NCA ECC is clear: when a known exploit exists, compensating controls are not optional — they are mandatory.

Is your Exchange environment protected? Contact Fyntralink for a complimentary Exchange security assessment and SAMA Cyber Maturity evaluation. Our team can help you verify your mitigation status, harden your OWA deployment, and build the compensating control documentation your next audit requires.