(TLP:CLEAR) Vulnerability Notification – Critical Zero-Day Vulnerability in Microsoft Exchange Under Active Exploitation, CVE-2026-42897
Created: Tuesday, May 19, 2026 - 14:05
Categories: Cybersecurity, Security Preparedness
ACTION MAY BE REQUIRED for utilities using on-premises Microsoft Exchange Server environments with Outlook Web Access (OWA) enabled, particularly internet-facing Exchange infrastructure.Utilities that outsource technology support may need to consult their service providers for assistance with remediation actions.
Summary: A critical zero-day vulnerability affecting Microsoft Exchange Outlook Web Access (OWA) is being actively exploited in the wild. Tracked as CVE-2026-42897, the vulnerability is a cross-site scripting (XSS) flaw that could allow an unauthorized remote attacker to execute arbitrary JavaScript within a user’s browser session after sending a specially crafted email. Microsoft confirmed active exploitation and assigned the vulnerability a Common Vulnerability Scoring System (CVSS) score of 8.1 (High).
Analyst Note: This vulnerability is particularly concerning for utilities because Microsoft Exchange environments often support sensitive operational, administrative, and executive communications. Successful exploitation could allow threat actors to compromise OWA mailboxes, steal session tokens, manipulate email content establish malicious forwarding rules, and conduct business email compromise (BEC) activity. Utilities with internet-facing Exchange infrastructure may face increased risk.
WaterISAC strongly encourages members review Microsoft’s guidance immediately and verify whether affected Exchange infrastructure is internet accessible. Microsoft recommends two main mitigation options, which include:
- Option 1 (recommended): enable and validate the Exchange Emergency Mitigation (EM) service, which automatically applies available mitigations to supported Exchange environments.
- Option 2 (for organizations unable to use the EM service): utilize a scripted mitigation option through Exchange On-premises Mitigation Tool (EOMT).
Additional Reading:
Related WaterISAC PIRs: 6, 8, 10