DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ADVISORIES/CVE-2026-42897
TLP:WHITE
Disclosure not limited. This advisory may be distributed publicly through any channel.
OFFICIAL ADVISORY // CVE-2026-42897 // PUBLISHED 2026-05-12
Microsoft MSRCCVE-2026-42897

Microsoft Exchange Server XSS Zero-Day — CVE-2026-42897, CVSS 8.1, Arbitrary JavaScript Execution via Malicious Email in OWA

ADVISORY SUMMARY

CVE-2026-42897 is a high-severity (CVSS 8.1) Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) vulnerability in Microsoft Exchange Server that allows an attacker to execute arbitrary JavaScript in the browser context by sending a specially crafted email to a target user who opens it in Outlook Web Access (OWA). This stored/reflected XSS flaw was added to the CISA KEV catalog, indicating confirmed exploitation in the wild. The vulnerability enables session hijacking, credential theft, and potential lateral movement against any organization running on-premises Exchange.

AFFECTED SYSTEMS

AFFECTED SYSTEM
SEVERITY
EXPLOIT
PATCH
Microsoft Exchange Server — versions requiring May 2026 Cumulative Update or Security Update
HIGH
LIMITED
NO PATCH
Organizations using Outlook Web Access (OWA) for on-premises Exchange
HIGH
LIMITED
NO PATCH

MITIGATION GUIDANCE

Apply Microsoft's May 2026 Exchange Server security update immediately. Review the Microsoft Exchange Emergency Mitigation Service (EEMS) for interim mitigations if patching cannot be performed immediately. Restrict OWA access to internal networks or enforce conditional access policies requiring compliant, managed devices. Enable Enhanced Security Configuration in Exchange where feasible. Follow Microsoft's Exchange Server security best-practices hardening guide. Monitor Exchange Update Guide at https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498.

DETECTION SIGNATURES

Enable Exchange Server protocol and OWA audit logging. Monitor for unusual JavaScript execution patterns or unexpected HTTP requests originating from OWA sessions. Alert on anomalous email-triggered browser activity using endpoint security tools. Review Exchange IIS logs for unexpected client-side scripting indicators. Check SIEM for session tokens being reused from anomalous IP addresses following OWA access. Use Microsoft Defender for Office 365 safe-links and attachment scanning to reduce initial delivery risk.

REFERENCES

  • https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897
  • https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • https://nvd.nist.gov/vuln/detail/CVE-2026-42897
SHARE BRIEF:✕ Post on Xin Share on LinkedIn