CVE-2026-42897: Exchange OWA Zero-Day Turns a Single Email into Full Browser Hijack

Microsoft confirmed active exploitation of CVE-2026-42897, a cross-site scripting flaw in Exchange Server's Outlook Web Access that lets an attacker execute arbitrary JavaScript the moment a user opens a crafted email. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 15, giving federal agencies—and every organization running on-prem Exchange—two weeks to mitigate. For Saudi financial institutions still hosting mailboxes on Exchange 2016 or 2019, the window to act is closing fast.

What Makes CVE-2026-42897 Dangerous

At its core, CVE-2026-42897 (CVSS 8.1) is a stored XSS vulnerability disguised as a spoofing bug. An attacker crafts a specially formatted email containing malicious HTML. When a victim opens that email through Outlook Web Access—not the desktop client—the payload fires inside the authenticated browser session. No attachment download, no macro prompt, no link click: the act of reading the message is enough under certain interaction conditions. The JavaScript runs in the same origin as the OWA session, which means the attacker inherits the victim's authenticated context: mailbox access, address book, delegated calendar permissions, and any downstream integrations that trust the Exchange cookie.

Affected Versions and Scope

Microsoft lists Exchange Server 2016 CU23, Exchange Server 2019 CU14, and Exchange Server Subscription Edition (prior to the May 2026 SU) as vulnerable. Exchange Online is not affected because Microsoft applies server-side sanitization independently. The distinction matters: organizations that migrated to Microsoft 365 are safe, but hybrid deployments that still route OWA traffic through on-premises front-ends remain exposed. Shodan scans from May 16 show over 58,000 internet-facing OWA endpoints running unpatched builds, with a notable concentration in the Middle East and Southeast Asia where on-prem Exchange adoption remains high due to data-residency preferences.

Exploitation in the Wild

Microsoft Threat Intelligence attributed early exploitation to a cluster tracked as Storm-1811, known for targeting financial services and government entities across the Gulf region. The initial access pattern is straightforward: the threat actor sends a phishing email from a compromised legitimate domain, embedding the XSS payload inside an HTML-rich message body. Once triggered, the JavaScript exfiltrates the user's OWA session token, enumerates the Global Address List, and forwards select mailbox rules to an attacker-controlled inbox. In at least two observed incidents, the stolen session was used within minutes to access SharePoint document libraries linked through the same authentication cookie, pivoting from email compromise to document exfiltration without triggering a separate login event.

Why Saudi Financial Institutions Face Elevated Risk

SAMA's Cyber Security Framework (CSCC) mandates that member institutions maintain patching cycles aligned with risk severity—critical vulnerabilities require remediation within 48 hours under Domain 3.3 (Patch and Vulnerability Management). Yet many Saudi banks and insurance companies continue to operate Exchange 2016 or 2019 on-premises, often citing SAMA's own data-localization expectations as the reason for delayed cloud migration. This creates a paradox: the same regulatory posture that keeps mail servers local also expands the attack surface when zero-days like CVE-2026-42897 emerge. Additionally, NCA's Essential Cybersecurity Controls (ECC 2:2024) under Subdomain 2-4 require continuous vulnerability management and timely patching for all internet-facing systems. An unpatched OWA endpoint directly violates both frameworks and could trigger supervisory action during SAMA's next on-site examination cycle.

The OWA Attack Surface Problem

OWA is one of the most exposed enterprise services in any network. Unlike VPN portals or internal APIs, OWA is designed to be publicly reachable—it is the remote email access mechanism. That public exposure, combined with rich HTML rendering capabilities, makes it a persistent target. CVE-2026-42897 is the third OWA-related vulnerability added to CISA's KEV catalog in the past twelve months, following CVE-2026-21399 (SSRF in autodiscover) and CVE-2025-49773 (authentication bypass in EWS). Each exploit chain demonstrates the same structural weakness: OWA processes complex, untrusted content—email bodies, calendar invites, contact cards—inside an authenticated web session. Until organizations either migrate to Exchange Online or place OWA behind a reverse proxy with content-stripping capabilities, these vulnerabilities will keep surfacing.

Recommended Mitigation Steps

1. Apply the Emergency Mitigation immediately. If Exchange Emergency Mitigation Service (EM Service) is enabled, Microsoft has already pushed an automatic rule. Verify it is active by checking the IIS URL Rewrite rules on your CAS servers. For environments without EM Service, download the latest Exchange On-premises Mitigation Tool (EOMT) from Microsoft's official repository and run it manually.
2. Deploy the May 2026 Security Update. The mitigation buys time; the cumulative update closes the vulnerability permanently. Schedule the SU deployment within 48 hours to remain compliant with SAMA CSCC patching requirements.
3. Audit OWA session logs for indicators of compromise. Search IIS logs for anomalous POST requests to /owa/auth/ endpoints with unusually large request bodies. Cross-reference with your SIEM for any new inbox rules created in the past 72 hours that forward to external domains.
4. Enforce Content Security Policy headers on OWA. Adding strict CSP headers to the OWA virtual directory limits the execution of inline scripts, reducing the blast radius of XSS payloads even if a future bypass emerges.
5. Restrict OWA access by geography and device posture. Use conditional access policies or a web application firewall to limit OWA exposure to known IP ranges and compliant devices. Saudi institutions should block non-Saudi IP ranges unless remote access is explicitly required for traveling staff.
6. Review NCA ECC Subdomain 2-4 and SAMA CSCC Domain 3.3 compliance. Document the patching timeline, mitigation steps, and IOC scan results. This evidence will be required during the next regulatory examination or SAMA on-site review.

Conclusion

CVE-2026-42897 is not just another Exchange vulnerability—it is a zero-click XSS in the most exposed enterprise email interface, already weaponized against financial sector targets in the Gulf. The combination of active exploitation, CISA KEV listing, and the regulatory weight of SAMA CSCC and NCA ECC makes this a board-level issue for every Saudi financial institution still running on-premises Exchange. Patch within 48 hours, hunt for indicators of compromise in OWA logs, and use this incident as a forcing function to re-evaluate your on-prem Exchange roadmap.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your Exchange infrastructure security posture.