Microsoft titled it Spoofing. It's session hijacking.
CVE-2026-42897 is the first real test of Exchange Server Subscription Edition's new servicing model. Four days in, the answer is a mitigation that breaks four OWA features and an SU with no ship date.
The mitigation Microsoft pushed for CVE-2026-42897 breaks OWA Print Calendar, breaks inline image rendering in the reading pane, breaks OWA Light, and triggers false-positive alerts on the OWACalendar.Proxy healthset. That’s four documented operational regressions the Exchange admin gets to brief help-desk on, in exchange for blocking a zero-day that Microsoft’s own advisory calls a “Spoofing” vulnerability.
It is not a spoofing vulnerability. It is reflected XSS in the OWA email-rendering path. The MSRC advisory lists the underlying CWE as CWE-79 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, score 8.1. When a target opens a crafted message in OWA, attacker JavaScript executes inside the victim’s authenticated browser session. From there, SOC Prime’s analysis and the CCB Belgium advisory describe the practical post-exploitation: harvest the session token, which sails past MFA for as long as it’s valid, then read the mailbox, set silent forwarding rules, and send mail as the victim. “Spoofing” is one bullet on a longer list. Calling the advisory by that name is technically accurate the way calling a house fire a “lighting incident” is technically accurate.
The mitigation is what Microsoft can ship; the patch is what the customer has to schedule
The Exchange Emergency Mitigation Service auto-deployed mitigation M2.1.x, an IIS URL Rewrite rule that blocks the known exploitation pattern, to Exchange Server 2016, 2019, and SE within hours of the May 14 disclosure. EEMS is enabled by default. For anyone who hasn’t explicitly disabled it, this worked the way Microsoft designed it to work back in the September 2021 CUs, after ProxyLogon made the case that “wait for the customer’s maintenance window” was no longer a viable response posture.
Four days later, there is still no Security Update on the calendar. Microsoft published a Patch Tuesday note on May 12 saying no Exchange SUs were scheduled for May, then disclosed an actively exploited zero-day on May 14 with the EM Service mitigation in lieu of a patch. The May 7 hotfix HU6 for SE RTM (KB5081755) is a Graph API hybrid coexistence fix and does not address this CVE.
What Microsoft has confirmed: when the SU does ship, Exchange 2016 and 2019 customers will only receive it through the ESU Period 2 program. Paid. Enterprise Agreement only. May–October 2026 coverage window. Both branches reached end of mainstream support on September 14, 2025. SE shipped July 1, 2025, which left roughly ten weeks of overlap where a customer could be running either a supported legacy branch or supported SE on free channels. After September 14, 2025, the choice on 2016 and 2019 was migrate to SE or pay for ESU. SE itself remains free-to-patch via subscription.
What Subscription Edition was supposed to fix
The pitch for Exchange Server Subscription Edition, in the June 2024 roadmap post and every Microsoft talk since, was that the bad old days of named exploit chains and version cliffs were a solved problem. SE is evergreen. Two CUs per year, security updates as needed, no more drift into unsupported builds the way Exchange 2013 customers drifted after 2023. The EM Service had matured. The architecture was the same, but the operational wrapper around it was finally caught up with how Microsoft ships everything else.
CVE-2026-42897 is SE’s first significant test, and so far what the test shows is that the operational wrapper helps right up until the moment a permanent fix is required. EEMS pushed M2.1.x automatically. That part worked. The part where the customer’s Exchange admin still has to wait for an SU, install it through the same CU-specific, elevated-Setup, iisreset, OWA-and-ECP-smoke-test ritual that existed in 2021, on the customer’s own maintenance window, that part hasn’t changed. SE is the Exchange 2019 codebase serviced in place. The IIS surface is still the IIS surface. OWA and ECP are still on the internet. Orange Tsai’s 2021 Black Hat work framed the proxy architecture as a class-of-bugs problem, not a single-bug problem. SE didn’t rewrite the proxy architecture. It rewrote the licensing model.
The KEV deadline is technically satisfiable, which is not the same as compliant
CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15 with an FCEB deadline of May 29. That’s 14 days, not the usual 21, which is consistent with active-exploitation severity. The BOD 22-01 language requires agencies to “apply mitigations per vendor instructions,” which is permissive enough to read as “EM Service with M2.1.x applied is fine.” No CISA statement has explicitly said so. Each agency’s authorizing official gets to make that call, and “the directive’s wording probably covers it” is not a position any FCEB AO wants to write into a compliance package.
There is also no published threat actor. Microsoft, Mandiant, CrowdStrike, and CISA have not attributed the campaign as of writing. For comparison, ProxyLogon was attributed to HAFNIUM within days. The silence here may be early-stage investigation, embargo, or genuine uncertainty. Defenders are operating without a named adversary and without public IOCs: no infrastructure IPs, no domains, no hashes. Detection has to be behavioral: new inbox-forwarding rules, OWA logins from unfamiliar geographies, anomalous bulk-read patterns. The IIS access logs won’t help much. The payload arrives in the email body, not the URL.
What the rollout actually looks like this week
If EM Service is enabled and healthy, M2.1.x is already on the server. Run the steps in Microsoft’s advisory or Get-Mitigation and confirm the M2 entry shows Applied. If EEMS is disabled or the environment is air-gapped, the IIS rewrite rule does not exist on the server and the manual mitigation steps from the advisory have to be run per-server. There is no protection in place until one of those is true.
After that, the calendar looks like:
- Brief help-desk on the four OWA regressions before users file tickets about Print Calendar and missing inline images. The OWACalendar.Proxy healthset alert is cosmetic; tell whoever runs monitoring to suppress it.
- Queue the SU for an unscheduled maintenance window. Microsoft has not announced one, but assume it lands before the end of May and budget the time.
- For Exchange 2016 / 2019 fleets, confirm ESU Period 2 coverage is in place before the SU ships, or the patch will not be available through any channel the server can reach.
- For FCEB agencies, get the AO’s read on whether M2.1.x applied satisfies the May 29 KEV deadline in writing. Don’t infer it from the BOD 22-01 verb choice.
The case EEMS was supposed to win
The EM Service did its job. M2.1.x deployed automatically, blocks the known exploitation vector, and bought the on-prem fleet a window of protection that didn’t exist during ProxyLogon. That is real, and worth saying out loud.
It is also the floor of what Subscription Edition was sold as fixing, not the ceiling. Four days into an actively exploited zero-day, the customer’s posture is a temporary stopgap with four documented side effects, no SU on the calendar, an advisory title that undersells the impact, and a KEV clock running against a compliance standard nobody has formally confirmed the mitigation satisfies. The evergreen servicing model is supposed to make the gap between “exploited in the wild” and “permanent fix in place” shrink. So far it has rebranded the gap.
Sources
- Addressing Exchange Server May 2026 vulnerability CVE-2026-42897 — Microsoft Exchange Team Blog — 2026-05-14
- Security Update Guide — CVE-2026-42897 — MSRC — 2026-05-14
- CVE-2026-42897: Exchange OWA Spoofing Flaw — SOC Prime — 2026-05
- WARNING: Cross-Site Scripting in Microsoft Exchange Server… — CCB Belgium — 2026-05
- New Security Feature in September 2021 Cumulative Update for Exchange Server — Microsoft Exchange Team Blog — 2021-09
- No Exchange Server Security Updates for May 2026 — Microsoft Exchange Team Blog — 2026-05-12
- Hotfix update for Exchange Server SE RTM HU6 (KB5081755) — Microsoft Support — 2026-05-07
- Announcing Period 2 Exchange 2016/2019 ESU program — Microsoft Exchange Team Blog — 2026
- Exchange Server Subscription Edition (SE) is now available — Microsoft Exchange Team Blog — 2025-07
- Exchange Server Roadmap Update — Microsoft Exchange Team Blog — 2024
- A New Attack Surface on MS Exchange Part 1 — ProxyLogon — Orange Tsai / DEVCORE — 2021-08
- CISA Known Exploited Vulnerabilities Catalog — 2026-05-15
- BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities — CISA — 2021-11
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — The Hacker News — 2026-05
Share
Related field notes
-
The year on-premise Exchange became the most-attacked software on earth
ProxyLogon and ProxyShell turned 2021 into open season on Exchange Server. Two unauthenticated RCE chains, tens of thousands of web-shelled servers, an FBI operation to clean them up. If you still run Exchange on-prem, you're operating a permanent top-tier target.
-
A mitigation blocks a path. OWASSRF found another door.
After ProxyNotShell, Microsoft told Exchange admins to apply URL-rewrite mitigations while the patch was finished. OWASSRF (CVE-2022-41080) walked around them by knocking on OWA instead of Autodiscover, and Play ransomware walked in. Mitigations aren't fixes.
-
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
One email, every weekday morning.
You're in. Check your inbox.