Microsoft Exchange Server is having a very bad week. While threat actors are already exploiting a critical cross-site scripting vulnerability in the wild, elite researchers at Pwn2Own Berlin 2026 independently demonstrated full SYSTEM-level remote code execution on the same platform — all within 48 hours of each other.
Microsoft confirmed on Thursday that a critical XSS vulnerability, tracked as CVE-2026-42897, is being actively exploited against on-premises Exchange Server deployments. The flaw affects Exchange Server 2016, 2019, and the Subscription Edition. Exchange Online users are not at risk.
The attack is deceptively simple: an attacker sends a specially crafted email to a target. If the victim opens it in Outlook Web Access (OWA) — the browser-based interface for accessing Exchange mailboxes — arbitrary JavaScript can execute silently in the browser context. No credentials needed, no complex setup. Just a well-timed phishing email.
The vulnerability appeared just two days after Microsoft's May 2026 Patch Tuesday, which addressed 138 separate flaws — a grim reminder that even the most patched environments can be blindsided by zero-days arriving between update cycles.
Microsoft has not identified the threat actor behind the active exploitation, nor shared details about targets, campaign scale, or whether any attacks were successful. CVE-2026-42897 has not yet been added to CISA's Known Exploited Vulnerabilities catalog, though given its "Exploitation Detected" status, that designation could come at any time.
Pwn2Own Adds Fuel to the Fire
As if the zero-day wasn't enough, on day two of Pwn2Own Berlin 2026, Orange Tsai of DEVCORE Research Team chained three bugs together to achieve remote code execution with SYSTEM privileges on Microsoft Exchange, earning $200,000 — the single largest payout of the competition so far. This is a separate, distinct attack chain from CVE-2026-42897, and per Pwn2Own rules, vendors receive a 90-day window to patch before details are made public.
It follows an equally impressive day-one performance, where Orange Tsai earned $175,000 by chaining four logic bugs to escape the Microsoft Edge sandbox — cementing DEVCORE's position atop the leaderboard.
What Should Exchange Admins Do Right Now?
Microsoft is still working on a permanent fix. In the interim, two mitigations are available:
The Exchange Emergency Mitigation Service (EEMS) automatically applies protection via a URL rewrite configuration and is enabled by default on supported on-premises Exchange deployments. Admins should verify it's active.
For air-gapped or disconnected environments, Microsoft advises downloading the Exchange On-premises Mitigation Tool (EOMT) and running it via an elevated Exchange Management Shell — either per server or across all servers at once using the CVE-2026-42897 identifier.
Be aware that applying the mitigation introduces some side effects: OWA calendar printing may stop working, and inline images might not render correctly in the reading pane. Microsoft recommends using the Outlook desktop client as a workaround in both cases.
A permanent patch is planned for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. However, Exchange 2016 and 2019 updates will only be distributed to customers enrolled in the Period 2 Extended Security Update program — Period 1 ESU customers are excluded, as that program ended in April 2026.
With Exchange at the center of corporate email infrastructure — and often internet-exposed — organizations running on-premises deployments cannot afford to wait on this one.