Defending Your On-Prem Exchange Server Against CVE-2026-42897: A Step-by-Step Security Guide

By ✦ min read

Introduction

Microsoft has disclosed a critical security vulnerability affecting on-premises versions of Exchange Server, designated as CVE-2026-42897 (CVSS score 8.1). This spoofing bug originates from a cross-site scripting (XSS) flaw and is already being actively exploited in the wild through specially crafted emails. The vulnerability was discovered and reported by an anonymous researcher. If left unpatched, attackers can send malicious emails that trigger XSS, leading to spoofing attacks and potential compromise of your email system. This step-by-step guide will help you understand, detect, and mitigate this threat effectively.

What You Need

• Administrative credentials – Domain admin or Exchange admin rights to install updates and configure settings.
• Backup of your Exchange Server – Full backup before applying patches is strongly recommended.
• Access to Microsoft Update Catalog – Or use Windows Update for automatic deployment.
• Network monitoring tools – For checking logs and detecting exploitation attempts.
• Knowledge of your Exchange build number – To verify patch installation and compatibility.

Step-by-Step Guide

Step 1: Understand the Vulnerability

Before taking action, familiarize yourself with CVE-2026-42897. It is a spoofing vulnerability caused by inadequate sanitization of user input within Exchange Web Services (EWS). Attackers craft an email containing malicious script that, when processed by the Exchange server, executes in the context of the recipient’s browser. This allows the attacker to impersonate the user, read emails, or send deceptive messages. The CVSS 8.1 rating indicates high severity, and active exploitation has been confirmed, making immediate action crucial.

Step 2: Assess Your Environment

Determine whether your organization runs an on-premises Microsoft Exchange Server. Check the version and cumulative update (CU) level. To do this:

1. Open Exchange Management Shell.
2. Run: Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion
3. Note the version string (e.g., Exchange Server 2019 CU12).

If you are on a supported version (Exchange 2016, 2019, or newer), you are eligible for the security update. Older or unsupported versions require an upgrade first.

Step 3: Apply the Security Update

Microsoft has released a security update specifically for CVE-2026-42897. Follow these steps:

1. Download the appropriate update from the Microsoft Update Catalog or via Windows Update.
2. Log on to the Exchange server with administrative privileges.
3. Exit all Exchange management tools and stop services (optional but recommended for production).
4. Run the update installer as Administrator. It will automatically stop and restart services as needed.
5. After installation, restart the server if prompted.

Step 4: Verify the Installation

Confirm that the patch was successfully applied:

1. In Exchange Management Shell, run: Get-ExchangeServer | Format-List Name, AdminDisplayVersion
2. Check the version number against the updated version listed in the security bulletin.
3. Test email flow by sending a test message from and to internal and external addresses.
4. Review application and system logs for any errors related to the update.

Step 5: Implement Additional Mitigations

Beyond the patch, you can reduce the attack surface with these measures:

• Disable URL preview in Outlook Web App (OWA). This prevents script execution from preview panes.
• Restrict junk email delivery. Configure anti-spam policies to not deliver emails from unknown senders to the Inbox.
• Enable AMSI integration (if supported) to scan for malicious scripts.
• Apply strict Content Security Policy (CSP) headers on OWA virtual directories.
• Disable legacy protocols like Outlook Anywhere if not needed.

Step 6: Monitor for Signs of Exploitation

Because the vulnerability is already being exploited, check for potential compromise:

1. Search Exchange transport logs for emails containing unusual script tags or obfuscated JavaScript.
2. Review IIS logs on the Exchange server for abnormal requests to /EWS/ endpoints.
3. Run the Exchange Health Checker script from Microsoft to detect common misconfigurations.
4. Monitor user accounts for unauthorized forwarding rules or mailbox inbox rule changes.

Tips

• Patch promptly. CVE-2026-42897 is under active attack. Do not delay applying the security update beyond a few days.
• Test in a staging environment if possible, but given the active exploitation, deploying straight to production with a backup is acceptable.
• Enable verbose logging for OWA and EWS in advance to aid future forensic investigations.
• Educate users to be cautious of unexpected emails with attachments or links, even from known senders.
• Keep a list of all CVE-related updates applied for auditing and compliance purposes.
• Consider implementing Exchange Server Role Based Access Control (RBAC) to limit admin exposure.

By following these steps, you can significantly reduce the risk posed by CVE-2026-42897 and protect your on-premises Exchange Server from exploitation via crafted emails.