A newly disclosed Microsoft Exchange vulnerability is actively being exploited in the wild, and there’s still no permanent patch available. In this episode of IT SPARC Cast – CVE of the Week, John and Lou break down CVE-2026-42897, explain how attackers can exploit Outlook Web Access through malicious emails, and discuss why temporary mitigations may not be enough for organizations still running on-prem Exchange.

⸻

📄 Show Notes

🚨 CVE of the Week: Microsoft Exchange / Outlook Web Access Exploit

This week’s episode focuses on CVE-2026-42897, a high-severity vulnerability affecting:

• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019
• Exchange Subscription Edition

The vulnerability is a cross-site scripting (XSS) and spoofing flaw impacting Outlook Web Access (OWA).

⸻

⚠️ How the Attack Works

Attackers send specially crafted emails that execute malicious JavaScript when opened through Outlook Web Access.

Potential impacts include:

• Session hijacking
• Browser-based code execution
• Exchange session theft
• Spoofing attacks

The vulnerability is already being actively exploited in the wild.

⸻

🌐 Who Is Affected?

This impacts on-prem Exchange deployments only.

Cloud-hosted Exchange Online environments are not currently believed to be affected.

Organizations most at risk include:

• Enterprises with legacy Exchange infrastructure
• Organizations avoiding cloud email hosting
• Remote-access-heavy environments relying on OWA

⸻

🛠️ Mitigation Steps for CVE-2026-42897

✅ 1️⃣ Apply Microsoft Emergency Mitigations

Microsoft has released temporary protections through:

• Exchange Emergency Mitigation Service (EEMS)
• URL rewrite mitigation rules

Apply these immediately.

⚠️ Important:

These mitigations are pattern-based and may not block future modified exploits.

⸻

✅ 2️⃣ Consider Disabling Outlook Web Access (OWA)

If operationally possible:

• Disable OWA temporarily
• Require users to use the Outlook desktop client instead

This significantly reduces exposure.

⸻

✅ 3️⃣ Prepare for Operational Side Effects

Known mitigation side effects include:

• Calendar printing failures
• Inline image rendering problems
• Increased help desk tickets

Organizations should proactively communicate these issues to users.

⸻

✅ 4️⃣ Patch Immediately When Available

At recording time:

• No permanent patch exists yet
• Apply the official patch immediately once released

This is not a vulnerability where delayed patching is safe.

⸻

🔒 Security Takeaways

This vulnerability reinforces several growing cybersecurity realities:

• On-prem infrastructure carries operational security burdens
• Browser-based attacks remain highly effective
• Temporary mitigations are not substitutes for permanent fixes

John and Lou also discuss how attackers increasingly chain vulnerabilities together and how AI-assisted exploit development is accelerating the speed of attacks.

⸻

💬 Listener Feedback

Thanks to listener “ZZZZ” on YouTube for pushing back on last week’s discussion around passwords stored in clear text memory.

The discussion highlights an important point:

• Many vulnerabilities are low risk for average users
• But become extremely dangerous for high-value targets such as executives and organizations with sensitive data

⸻

📣 Wrap Up

Are organizations moving away from on-prem Exchange fast enough, or are these vulnerabilities making the case for cloud migration even stronger?

📧 [email protected]

🐦 @itsparccast on X

⸻

🔗 Social Links

IT SPARC Cast

@ITSPARCCast on X

https://www.linkedin.com/company/sparc-sales/ on LinkedIn

John Barger

@john_Video on X

https://www.linkedin.com/in/johnbarger/ on LinkedIn

Lou Schmidt

@loudoggeek on X

https://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn

Hosted on Acast. See acast.com/privacy for more information.