Exchange OWA CVE-2026-42897: Swiss On-Prem Alert 2026

On 14 May 2026, Microsoft disclosed CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server's Outlook Web Access. CISA added it to the Known Exploited Vulnerabilities catalogue the following day with a remediation deadline of 29 May. By early June, active exploitation continues and no permanent code fix exists — only an automatic mitigation shipped through the Exchange Emergency Mitigation Service. For Swiss organisations running on-premises Exchange 2016, 2019, or Subscription Edition, this is not a scheduled patch item. It is an active risk requiring immediate operational response.

Anatomy of the Exploit: XSS via Crafted Email

CVE-2026-42897 is a reflected cross-site scripting flaw in OWA's email rendering pipeline. An attacker crafts a malicious email containing JavaScript payloads and sends it to a target whose mailbox is hosted on an affected on-premises Exchange server. When the recipient opens the email in OWA — through a browser — the payload executes in their authenticated session context.

The practical consequence is significant. JavaScript executing in an authenticated OWA session can exfiltrate session cookies, forge requests on behalf of the user, access the mailbox contents programmatically, and pivot to other Exchange management interfaces exposed through the same authentication context. For privileged accounts — administrators, finance controllers, HR staff — the impact extends beyond email access to credential theft that enables lateral movement.

Exchange Online is explicitly not affected. The vulnerability exists only in on-premises deployments where OWA rendering occurs server-side without the additional security layers Microsoft applies in the cloud service. This distinction matters for Swiss organisations: the sectors most likely to remain on on-premises Exchange — regulated financial institutions, cantonal administrations, hospitals — are precisely those with the most sensitive mailbox content.

Why There Is No Permanent Patch

Microsoft's response to CVE-2026-42897 has been to ship a Content Security Policy header modification through the Exchange Emergency Mitigation Service rather than a binary code fix. The mitigation, identified as M2.1.x, instructs the browser to block execution of inline scripts in the OWA context — effectively neutering the XSS payload delivery mechanism without addressing the underlying input sanitisation failure.

This approach has three failure modes that Swiss administrators must understand. First, EEMS requires the Exchange server to have internet connectivity to retrieve and apply the mitigation. Organisations operating air-gapped Exchange deployments — common in Swiss defence-adjacent industries, high-security financial clearing environments, and some cantonal IT infrastructure — must manually download and apply the mitigation package. There is no automatic fallback for offline servers.

Second, the CSP-based mitigation is ineffective against clients using Internet Explorer or Microsoft Edge in Internet Explorer Mode. The legacy rendering engine does not support Content Security Policy; for organisations with line-of-business applications that require OWA access through IE Mode, the risk remains fully present even after EEMS applies the mitigation. Enumerating and remediating these clients is a prerequisite, not an afterthought.

Third, the mitigation introduces operational side effects: the OWA print calendar function breaks, inline images may not render in the reading pane, and the OWA Light interface ceases to function correctly. In environments where end users depend on these features, applying the mitigation requires user communication and potentially support desk preparation.

Swiss On-Premises Exchange: The Regulatory Compliance Trap

Switzerland's on-premises Exchange footprint is larger than European averages. The drivers are structural: FINMA's data localisation expectations for client data, nDSG requirements for personal data processing, and the pragmatic reality that cloud migration programmes at Swiss regulated entities move slowly through procurement, risk assessment, and regulatory notification processes.

The same regulatory environment that keeps Exchange on-premises also creates the compliance obligations triggered by exploitation. A successful CVE-2026-42897 attack that results in credential compromise or unauthorised mailbox access qualifies as a significant ICT incident under FINMA Rundschreiben 2023/1, triggering notification obligations. If personal data is accessed — which is almost certain in any mailbox compromise — nDSG breach notification to the FDPIC follows.

Swiss cantonal administrations and hospital networks face an additional complication: many operate Exchange environments across multiple cantonal data centres or building locations, creating heterogeneous version landscapes where some servers may be on Exchange 2016 with delayed EEMS updates while others run Exchange SE. Validating mitigation status across the entire estate requires systematic inventory work, not a single administrator check.

Detection: What to Monitor When There Is No Patch

With no permanent fix available, monitoring becomes the primary risk control. The exploitation signature of CVE-2026-42897 involves JavaScript execution within authenticated OWA sessions, which leaves forensic traces in Exchange and web server logs. Specifically: unexpected outbound HTTP requests initiated from OWA server processes, unusual referrer headers in OWA access logs suggesting non-standard navigation flows, and authentication events immediately following OWA session activity from unexpected source IPs.

At the network level, OWA exploitation for credential harvesting typically involves a POST to an attacker-controlled endpoint. Egress filtering on Exchange servers — restricting outbound HTTP/HTTPS to known destinations — provides a compensating control that limits the exfiltration window even if the XSS payload executes successfully.

• Confirm EEMS is enabled and mitigation M2.1.x is applied on every on-premises Exchange server; for air-gapped deployments, manually download the mitigation package from the Microsoft download centre and apply it out-of-band.
• Inventory all OWA clients accessing Exchange via Internet Explorer or Edge in IE Mode — enforce browser policy or block OWA access from these clients until a permanent patch is released.
• Implement egress filtering on Exchange servers restricting outbound HTTP/HTTPS to known destinations; block all unexpected outbound connections from Exchange server processes at the perimeter.
• Enable Exchange audit logging at the verbose level and integrate OWA access logs into your SIEM; create alerts for anomalous outbound requests, unexpected JavaScript execution traces, and authentication spikes following OWA session activity.
• Assess whether current OWA exposure surface triggers FINMA RS 2023/1 incident classification — if privileged accounts (finance, HR, C-suite) access OWA from uncontrolled endpoints, the risk profile may already meet the threshold for internal incident declaration.
• Accelerate Exchange Online migration feasibility assessment for workloads where on-premises hosting is driven by legacy inertia rather than active regulatory requirement — this vulnerability will not be the last affecting on-premises OWA.

CVE-2026-42897 follows a pattern that is becoming structurally familiar: a complex webmail rendering vulnerability receives a configuration-layer mitigation rather than a code fix, ships through an automated emergency service, and leaves a residual risk population of air-gapped, legacy-client, and operationally constrained deployments with full exposure. Swiss security teams managing on-premises Exchange should treat EEMS mitigation coverage as a floor, not a ceiling, and maintain continuous monitoring on OWA activity as a permanent operational requirement — not a temporary measure pending an eventual patch.