Affected systems

CVE-2026-42897 affects on-premises Exchange servers with Outlook Web Access. A crafted email can execute JavaScript in the browser context when opened through OWA if certain interaction conditions are met. Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition are relevant; Exchange Online is not affected by this vulnerability.

For operations, the current control is not only the general patch level. The protection is delivered through the Exchange Emergency Mitigation Service. If that service is disabled, blocked or not monitored, servers can remain without the active mitigation even when maintenance levels look current.

Checks to run

  1. Check Emergency Mitigation Service: On every on-premises Exchange server, verify that the service is active, can retrieve updates and has applied mitigation M2.1.x for CVE-2026-42897.
  2. Constrain OWA access: Do not use OWA through Internet Explorer or Microsoft Edge in Internet Explorer mode, because the relevant browser protection does not apply there.
  3. Review servers separately: Prove coverage for internet-facing Exchange servers, hybrid servers, passive nodes and recovery environments, not only the primary production server.
  4. Inspect mailbox traces: Review suspicious OWA sessions, new inbox rules, forwarding settings and unusual sign-in locations.
  5. Plan permanent remediation: Treat the mitigation as an immediate control and keep Exchange updates, health checks and change approvals ready for the later fix.

Fast evidence

  • Document EM Service status and the latest applied mitigation per Exchange server.
  • Block OWA access through legacy browsers or Internet Explorer mode.
  • Assign an owner, expiry date and compensating control for every exception.

If only one action is possible immediately: prove mitigation M2.1.x on every on-premises Exchange server and block OWA access through IE mode.