An active exploitation campaign targeting on-premises corporate mail systems has prompted federal authorities to include a persistent scripting vulnerability in the national registry of validated threats. The flaw allows remote actors to force the execution of arbitrary script segments directly inside a target user browser framework during inbox rendering.
The vulnerability, tracked as CVE-2026-42897, resides in the Outlook Web Access interface of @[Microsoft](urn:li:organization:1035) Exchange Server. By constructing a malicious email that embeds malformed tags within the message header or body parameters, an attacker can bypass HTML sanitization rules. When an authenticated user opens the message via a web browser, the payload runs silently within the context of the active email session. @[CISA](urn:li:organization:13010360) added this vector to the KEV catalog on May 15, establishing a strict federal remediation window.
The monetization of web-facing mail flaws is a preferred strategy for corporate reconnaissance and credential capture groups. By running script context directly inside an active browser tab, an adversary can extract active session cookies, download mailbox contents, and execute unauthorized actions while completely evading boundary defensive telemetry.
– Implement the relevant platform updates and software mitigations outlined by the vendor for on-premises mail infrastructure immediately.
– Ensure the Exchange Emergency Mitigation Service is enabled and actively downloading updated parsing filters.
– Enforce rigid content security configurations across enterprise browsers to restrict the execution of unverified script inputs in web interfaces.
– Monitor mailbox diagnostic metrics for unusual session tokens or automated forwarding rules established within OWA boundaries.
Perimeter mail interfaces require aggressive input validation filters to prevent message delivery components from functioning as client side exploitation paths. #CodeDefence #Microsoft #ExchangeServer #CISA #KEV
/
