Microsoft Exchange Server CVE-2026-42897 Vulnerability Mitigation and Protection Procedure.

According to a security announcement by Microsoft, a critical vulnerability, CVE-2026-42897, has been identified affecting on-premises Microsoft Exchange Server environments (Exchange 2016, 2019, and Subscription Edition) that could lead to client-side code execution (XSS) after user interaction in the Outlook Web Access (OWA) component. Until a permanent security update is released, Microsoft is providing temporary protection (IIS URL Rewrite rules and CSP directives) through Exchange Emergency Mitigation Service (EEMS) or the EOMT.ps1 script. However, running these rules directly on Exchange servers can lead to significant performance bottlenecks and functional disruptions in high-traffic environments. Therefore, the following action plan should be implemented immediately.

ANALYSIS AND PROACTIVE SECURITY APPROACH

Recommended actions to be taken by WAF / Network / Security Teams:

To ensure that these attack patterns are dropped at the WAF, WAP (Web Application Proxy), Reverse Proxy, or EDR level before reaching the Exchange IIS layer, it is recommended to define rules/signatures according to the vulnerability specifications detailed below:

1. CVE-2021-26855 — ProxyLogon SSRF Attack Type:

1. SSRF (Server Side Request Forgery)
2. Backend routing manipulation
3. Authentication bypass

Objective: To gain access to the internal endpoint by exploiting the Exchange backend mailbox routing mechanism. Recommended Pattern to Block (HTTP Cookie): Filter/block the following expressions in the Cookie header of HTTP requests: X-AnonResource-BackendX-BEResource=.../...~... (Example: Cookie: X-BEResource=Admin@exchange.local/autodiscover/autodiscover.xml?a=~ )

2. CVE-2022-41040 — ProxyNotShell Attack Type:

1. Remote PowerShell access
2. Backend proxy abuse
3. RCE chain start

Amaç: Autodiscover endpoint üzerinden yetkisiz şekilde PowerShell backend’ine erişim sağlanması.Engellenmesi Önerilen Pattern (URL filtering): Gelen isteklerin URL satırında aynı anda aşağıdaki iki ifadenin birden bulunması durumunda isteğin kesilmesi:autodiscoverpowershell(Örnek: /autodiscover/autodiscover.json?@evil.com/powershell)

3. CVE-2026-42897 — OWA XSS Saldırı Tipi:

1. Cross Site Scripting (XSS)
2. Inline JavaScript event handler injection

Objective: To prevent client-side code execution by blocking the execution of inline JavaScript event attributes such as `onclick` and `onload`. Suggested Gateway Action (Header/Response Inspection): Inject or verify the presence of the following Content Security Policy (CSP) directive in OWA HTML responses at the boundary layer (WAF/Reverse Proxy): `script-src-attr 'none'`

ACTIONS THAT NEED TO BE TAKEN

Rule and pattern checks implemented by EEMS or EOMT.ps1 (e.g., script-src-attr 'none' CSP directive, X-BEResource cookie check for ProxyLogon, or URL regex checks for ProxyNotShell) run at the IIS URL Rewrite layer. The steps to be performed and checked on the system side until a permanent security update is released are listed below.

1. CPU Bottleneck Warning:

Regex inspection processes are CPU-intensive functions. To avoid CPU bottlenecks in IIS worker processes (w3wp.exe) during high user traffic and to prevent user experience degradation, it is recommended to check that WAF signature, reverse proxy ACL, header inspection, cookie filtering, and URL filtering mechanisms can be blocked at the WAP/WAF layer or EDR before these exploit patterns reach Exchange servers.

2. EEMS and Protection Status Check

• On systems accessible via the internet, Exchange Emergency Mitigation Service (EEMS) automatically downloads this rule. The active status of the rules must be verified using the MS HealthChecker script.
• Note: You may see a "Mitigation invalid for this exchange version" warning for CVE-2026-42897 on HealthChecker . If the rule status is "Applied," this warning is cosmetic and the protection should be considered active.

3. Checking Supported CU Levels

For permanent Security Update packages to be applied, servers must be at the current supported Cumulative Update (CU) level. Outdated servers should be upgraded quickly.

• Exchange 2016: CU23
• Exchange 2019: CU14 / CU15
• Exchange Server SE

4. Monitoring OWA Access and System Resources

• Performance Monitoring: Server CPU and memory usage should be monitored after the process is completed.
• Log Analysis: OWA access logs, suspicious redirects, user-based anomalies, and MFA logs can be examined.

KNOWN SIDE EFFECTS AND POTENTIAL PROBLEMS

1. Calendar Printing: When attempting to print a calendar via OWA, you may receive a blank page or an error.
2. Inline Images: Images or signature logos embedded in the email body may appear as broken links (X).
3. Additional File Preview: Previewing PDF or Office documents in the browser may be restricted.
4. Re-authentication: Active OWA sessions may be dropped and users may be prompted for their passwords again as soon as the rule is injected.
5. Add-in Issues: Third-party add-ons integrated with OWA, such as corporate signature or CRM, may stop working.
6. Latency: The EM service performs an XML check every hour. It may take time for the rule to reach the server and refresh the application pools.

When a permanent Security Update is released, it is planned to be verified in test environments and then applied to live systems within the shortest maintenance window.