A Microsoft Exchange Server Outlook Web Access (OWA) spoofing vulnerability, tracked as CVE‑2026‑42897, is actively being exploited in the wild. This issue affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition across all update levels. Continue reading this Cybersecurity Threat Advisory to reduce your risk and protect your Microsoft Exchange OWA.
What is the threat?
CVE‑2026‑42897 is a spoofing vulnerability driven by a cross-site scripting (XSS) flaw in the OWA interface of on-premises Microsoft Exchange Server. Exchange fails to properly sanitize certain email content before rendering it in the browser, enabling attackers to deliver malicious payloads.
An attacker can send a crafted email that, when viewed in OWA under specific conditions (such as preview or certain display modes), executes attacker-controlled JavaScript in the victim’s browser session. Because this code runs in the context of the user’s OWA session, attackers can impersonate the user, steal session tokens or cookies, and manipulate mailbox data—including creating forwarding rules or sending messages as the victim.
Microsoft classifies this as a spoofing vulnerability rather than direct remote code execution on the server; however, it represents a significant risk for account takeover and data exfiltration.
Why is it noteworthy?
This vulnerability is significant because it targets OWA, one of the most exposed and widely used interfaces in on-premises Exchange deployments. Organizations that continue to rely on on-prem Exchange often depend on OWA for remote and hybrid access, creating a broad attack surface.
The exploitation path—crafted email leading to in-browser JavaScript execution—can bypass traditional email and endpoint defenses that primarily focus on attachments or obvious malware.
Multiple national CERTs, including CISA, have confirmed active exploitation and added CVE‑2026‑42897 to the Known Exploited Vulnerabilities (KEV) catalog, elevating this from a theoretical issue to a real-world operational risk. As no full patch is available at this time, organizations must rely on mitigations and compensating controls, which may be inconsistently implemented or misconfigured.
What is the exposure or risk?
Organizations running on-premises Exchange 2016, 2019, or Subscription Edition with OWA exposed are directly at risk. Any user who opens a maliciously crafted email in OWA could unknowingly trigger the exploit, giving an attacker a foothold in the user’s session. Successful exploitation enables account spoofing, including sending emails as the victim, reading or forwarding sensitive messages, and modifying mailbox rules to silently exfiltrate data. Because the exploit executes as JavaScript in the browser, it can also harvest session cookies, tokens, and other in-browser data, potentially enabling broader access to Exchange or related web applications.
In environments where OWA integrates with single sign-on (SSO), the impact may extend beyond email, providing attackers with indirect access to additional cloud or web resources. Attackers may further chain this technique with phishing or credential-stuffing attacks to escalate from a single compromised session to wider organizational exposure.
The risk is particularly high for privileged or high-value accounts, such as executives, administrators, and shared mailboxes used for finance, HR, or procurement workflows. Because exploitation relies on email content rather than a traditional payload, it can blend into normal traffic and evade basic AV or attachment-based detection.
What are the recommendations?
Barracuda strongly recommends organizations take the following steps to reduce the risk of exploitation and protect critical infrastructure from this and other similar threats.
- Enable Microsoft’s Exchange Emergency Mitigation (EEM) service on all affected on‑prem Exchange servers. Alternatively, run the latest Exchange On‑Premises Mitigation Tool (EOMT) for CVE‑2026‑42897, and verify the mitigation status shows as applied.
- Reduce OWA’s direct internet exposure when possible. For example, require VPN, or publish OWA behind a reverse proxy / application gateway with additional controls such as WAF rules.
- Closely monitor OWA usage and mailboxes for signs of abuse. Incidents such as unusual logins, new or suspicious inbox rules, unexpected forwarding, or unusual activity in Sent/Deleted Items.
- Update security agents to the latest security versions and configured to detect/script suspicious behavior.
- Prepare to deploy security update once it is released. Plan to re‑validate Exchange’s configuration and remove temporary mitigations once fully patched.
- Align with regulatory guidance (such as CISA’s KEV deadlines) by documenting affected servers, applied mitigations, and implementation timelines.
- Test mitigations in a controlled manner (for example, staging or a limited subset of servers) to ensure they don’t break critical mail flows, then roll them out consistently across all Exchange servers.
- Restrict access to Exchange administration interfaces by limiting permissions to necessary administrators and enforcing strong authentication and MFA for all admin accounts.
- Centralize robust Exchange and OWA logging (e.g., forward logs to SIEM/XDR) to quickly detect and investigate exploitation attempts or anomalies tied to CVE‑2026‑42897.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
