Microsoft Exchange CVE-2026-42897: OWA Mitigation Guide

admin

1 hour ago

Microsoft Exchange CVE-2026-42897 OWA mitigation guide for on-prem Exchange administrators

Microsoft has confirmed active exploitation of CVE-2026-42897, a Critical Microsoft Exchange Server spoofing vulnerability affecting on-premises Exchange. The immediate defender task is to verify that Microsoft’s Exchange Emergency Mitigation Service applied the temporary protection, or to apply Microsoft’s Exchange On-premises Mitigation Tool while waiting for the permanent Exchange security update.

This is a protect-only guide. Fix I.T. Phill is not publishing abuse instructions, email samples, copyable technical details, or private WAF validation notes. Exchange administrators should focus on mitigation status, supported update levels, log review, and a clean patch plan for every server that exposes Outlook on the web or Exchange services.

Who Is Affected

On-premises Microsoft Exchange Server 2016 Cumulative Update 23.
On-premises Microsoft Exchange Server 2019 Cumulative Update 14 and Cumulative Update 15.
Microsoft Exchange Server Subscription Edition RTM.
Older Exchange 2016 and 2019 cumulative update levels should be treated as urgent upgrade candidates because Microsoft says the eventual security update will be released for supported Exchange builds.
Exchange Online is not listed as affected by Microsoft’s public guidance for this on-premises Exchange issue.

Why This Matters

MSRC rates CVE-2026-42897 as Critical with a CVSS 3.1 score of 8.1 and marks exploitation as detected. Microsoft describes the issue as improper neutralization of input during web page generation in Exchange Server, allowing an unauthorized attacker to perform spoofing over a network. Microsoft’s FAQ says the browser impact requires a user to open a malicious email message in Outlook Web Access and meet additional interaction conditions.

The practical risk for small businesses, hosting providers, MSPs, and internal IT teams is that on-premises Exchange is often internet reachable, tied to identity workflows, and trusted by users. Even though Microsoft is still preparing the permanent update, the mitigation path is available now.

Immediate Mitigation

First, verify whether the Exchange Emergency Mitigation Service is enabled and has applied the CVE-2026-42897 mitigation. Microsoft’s EM service checks for signed mitigations and applies temporary protections while a full security update is being prepared.

Get-Service MSExchangeMitigation
Get-ExchangeServer -Identity <ServerName> | Format-List Name,MitigationsApplied,MitigationsBlocked

If the mitigation service is enabled but has not checked in recently, restart it during an approved maintenance window and review the service logs afterward.

Restart-Service MSExchangeMitigation

If your Exchange servers cannot use the Emergency Mitigation Service, use Microsoft’s current Exchange On-premises Mitigation Tool. Run it from an elevated Exchange Management Shell, follow Microsoft’s prompts, and document the status for each server.

./EOMT.ps1 -ShowMitigationStatus -CVE "CVE-2026-42897"
./EOMT.ps1 -CVE "CVE-2026-42897"
Get-ExchangeServer | ./EOMT.ps1 -CVE "CVE-2026-42897"

Microsoft’s tool can also preview changes and report status. Use those features in larger environments before applying changes across a full Exchange estate.

Patch Planning For Exchange Servers

Confirm the exact Exchange build, cumulative update level, Windows Server build, and whether the server is part of a DAG or a single-server deployment.
Back up Exchange configuration, mailbox databases, transport rules, certificates, receive/send connectors, and current IIS configuration before changing mitigation or patch state.
For DAG environments, drain one server at a time, move active mailbox databases, place the node into maintenance, apply the mitigation or update, reboot when required, and verify health before moving to the next server.
For single-server environments, schedule a customer-visible outage window and make sure mail queue, DNS, firewall, and backup owners know the timing.
When Microsoft releases the permanent Exchange security update, install it only on supported Exchange build levels, then verify build numbers, service health, mail flow, Outlook on the web, mobile access, and transport queues.
After the permanent update is installed and Microsoft says the mitigation is no longer needed, review Microsoft’s guidance before removing any temporary URL Rewrite mitigation.

Windows Server And Admin Workstation Guidance

Do not patch Exchange in isolation. Keep the Windows Server operating system and admin machines current so attackers have fewer follow-on paths.

Windows Update: install the latest cumulative updates on Exchange servers after confirming Exchange compatibility and maintenance timing.
WSUS, Intune, or RMM: use your normal patch rings, but move exposed Exchange servers and admin workstations into an accelerated approval path for security updates.
Microsoft Update Catalog or offline install: use offline packages for isolated networks, then capture the installed build and hotfix evidence after reboot.
Reboot planning: verify pending reboot state before maintenance and confirm all Exchange services return cleanly after restart.
IIS and Exchange roles: verify Outlook on the web, ECP/admin access, autodiscover, EWS, ActiveSync, SMTP, and inbound mail flow after mitigation.
RDS and support workstations: patch browsers, Office, Outlook, Windows, remote support tools, and password managers used by admins who handle customer mailboxes or attachments.
Hyper-V hosts: patch the virtualization host separately, verify guest integration health, and avoid relying on a crash-consistent VM snapshot as your only Exchange recovery option.
Domain controllers, DNS, file, and backup servers: confirm AD replication, DNS health, time sync, backup success, and restore points before and after Exchange maintenance.

What To Review

Windows Application events from the MSExchange Mitigation Service, including successful mitigation events and any connectivity or validation errors.
The Exchange Mitigation Service log folder under the Exchange installation path.
Exchange admin audit logs for mitigation changes, blocked mitigations, or unexpected configuration edits.
IIS and Exchange access logs for unusual Outlook on the web activity, repeated failures, or traffic bursts around the public disclosure window.
Mailbox, transport, and security telemetry for suspicious sign-ins, mailbox rule changes, unusual forwarding, or unexpected administrative activity.
Backups and restore points from before and after the mitigation window.

Temporary Exposure Reduction

The Microsoft mitigation is the priority. In parallel, reduce public exposure where your environment allows it. Put admin surfaces behind VPN, conditional access, private access, or strict allowlists. Add extra monitoring around Outlook on the web logins and challenge suspicious traffic at the CDN or firewall layer. Avoid breaking mail flow for customers while tightening access.

If an Exchange server is too old to receive the eventual security update, stabilize it with Microsoft’s temporary mitigation, then plan a supported upgrade or migration path. Do not leave unsupported Exchange servers as permanent internet-facing mail infrastructure.

Customer Communication

Tell customers that Microsoft confirmed active exploitation against on-premises Exchange Server, that Exchange Online is not listed as affected by the on-premises issue, and that you are verifying Microsoft’s temporary mitigation while waiting for the permanent security update. Keep the customer message focused on protection status, maintenance windows, mail-flow impact, and what users should report.

Fix I.T. Phill CDN/WAF Note

We are leaving a sanitized CDN/WAF handoff for Exchange-facing web traffic. Edge controls cannot replace Microsoft’s mitigation or Exchange security updates, but they can help restrict exposed mail web access, challenge suspicious traffic, and raise monitoring while administrators apply Microsoft’s protection.