Outlook Web Access
The browser-based email interface for Microsoft Exchange Server; targeted by the CVE-2026-42897 cross-site scripting zero-day in May 2026.
Last refreshed: 20 May 2026 · Appears in 1 active topic
With no Exchange patch before 29 May, should organisations disable OWA entirely?
Timeline for Outlook Web Access
Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesMentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and DefencesWhat is Outlook Web Access and how does the CVE-2026-42897 attack work?
Is Exchange Online affected by the CVE-2026-42897 OWA zero-day?
Should we disable OWA to protect against CVE-2026-42897?
Background
Outlook Web Access (OWA) is the browser-based email client built into Microsoft Exchange Server, allowing users to access mailboxes, calendars, and contacts from any web browser without a local mail client. In May 2026, OWA became the attack surface for CVE-2026-42897, a cross-site scripting (XSS) zero-day rated CVSS 8.1, added to CISA's Known Exploited Vulnerabilities catalogue on 15 May 2026 with a 29 May federal Deadline. Microsoft has not shipped a patch. In an XSS attack, a threat actor injects malicious script into the web interface that executes in a victim's browser, enabling session-token theft, credential capture, or redirects to attacker-controlled infrastructure. Active exploitation against on-premises Exchange Server 2016, 2019, and Subscription Edition is confirmed; the cloud-hosted Exchange Online service is unaffected.
OWA was introduced with Exchange 2000 Server and has served as the de facto remote-access method for enterprises unwilling or unable to deploy VPN-based Outlook connectivity. Its browser-rendered interface makes it particularly sensitive to XSS flaws, as the trusted execution environment is the end-user's session cookie rather than a native application's credential store.
Microsoft's only sanctioned mitigation for CVE-2026-42897 is an Exchange Emergency Mitigation Service URL-rewrite rule applied via the EEMS framework. The rule carries documented side effects: the OWA calendar print function stops working, inline images may fail to render, and OWA Light mode breaks entirely. Organisations disabling OWA to eliminate the attack surface lose a primary remote-access channel, leaving CISOs to weigh user-experience degradation against confirmed exploitation risk in the fourteen days before the CISA Deadline.