On 4 July 2026, any UK business still running on-premises Microsoft Exchange faces a decision that has quietly changed shape. CVE-2026-42897 — a cross-site scripting (XSS) zero-day in Exchange Server’s Outlook Web Access (OWA) — has been actively exploited since the middle of May 2026, was added to CISA’s Known Exploited Vulnerabilities catalogue, and carries a Microsoft-assigned CVSS score of 8.1. It requires no attacker privileges and no stolen credentials: an attacker sends a single crafted email, the recipient opens it in OWA, and arbitrary JavaScript runs in that user’s browser session. Session hijacking, spoofing and credential theft all follow from there.
Microsoft shipped the fix in its June 2026 Exchange Server Security Update, released on 9 June 2026. But the harder news is structural. From July 2026, Exchange servers not updated to that June Security Update can no longer receive new Emergency Mitigation Service (EEMS) configuration files — the automatic, cloud-delivered defences Microsoft pushes when the next zero-day lands. Exchange Server 2016 and 2019 have been out of mainstream support since October 2025, and post-May 2026 updates now require paid Extended Security Update enrolment. This confluence — live exploit, loss of automatic mitigations, and out-of-support on-premises versions — is the clearest signal yet that migrating to Exchange Online and Microsoft 365 is no longer a “someday” project for UK SMEs. This article sets out exactly what CVE-2026-42897 is, why it matters, and the 10-step Microsoft 365 migration plan every UK SME on legacy Exchange should run this week.
What CVE-2026-42897 actually is — and why the score matters
CVE-2026-42897 is a stored cross-site scripting vulnerability in Outlook Web Access, the browser-based mail client that ships with on-premises Exchange Server. XSS is one of the oldest classes of web vulnerability — it sits in the OWASP Top 10 and has done for two decades — but its persistence in enterprise mail is exactly the point. As one Dark Reading analyst put it bluntly, “XSS still owns enterprise mail in 2026”. The reason is that webmail is, by design, a system that renders untrusted content (email from anyone) inside a trusted, authenticated browser session. When the sanitisation of that content fails, the attacker’s code inherits the victim’s session.
The attack chain is disarmingly simple. An attacker crafts an email containing a malicious payload that survives OWA’s content filtering. The email is delivered to a target mailbox. When the user opens it in OWA, the embedded JavaScript executes in the browser context — with the user’s authenticated Exchange session. From that position, the attacker can read and exfiltrate mailbox contents, hijack the OWA session token, impersonate the user to send spoofed internal email, and harvest credentials through convincing in-session phishing. Because the code runs as the legitimate user, it can bypass many perimeter controls that assume traffic inside an authenticated session is trustworthy.
There is an important scoring nuance UK IT leaders must not miss. NIST’s National Vulnerability Database scored CVE-2026-42897 at 6.1 (medium), while Microsoft scored it at 8.1 (high). The gap reflects different assumptions about the deployment context and the realistic impact of session compromise in an enterprise mail environment. For enterprise risk decisions, use Microsoft’s 8.1 score — Microsoft has visibility into how the flaw behaves in real Exchange deployments, and CISA’s decision to add the CVE to its KEV catalogue confirms that the practical risk is closer to the higher figure. Treating this as a “medium” because NVD said so is precisely the kind of scoring complacency attackers rely on.
Microsoft fixed CVE-2026-42897 in the June 2026 Exchange Server Security Update on 9 June 2026. Any organisation that applied it within the NCSC’s recommended 14-day window for high-severity flaws was protected by late June. The larger problem is forward-looking: from July 2026, Exchange servers that are not on the June 2026 SU can no longer receive new EEMS configuration files. EEMS is the mechanism Microsoft uses to auto-apply emergency interim mitigations (it applied mitigation M2.1.0 for this very flaw to connected servers). Falling off EEMS means that when the next Exchange zero-day appears — and history says it will — your server will not receive the automatic stopgap protection while you scramble to test and deploy a patch. That is a permanent downgrade of your security posture, not a one-off miss.
How the Exchange zero-day unfolded — a chronology
CVE-2026-42897 did not appear from nowhere. It follows a now-familiar rhythm: quiet exploitation, a scheduled patch, public disclosure, KEV listing, and a hard deadline that separates the maintained from the exposed. The timeline below sets out the sequence UK IT teams need to understand.
Why the impact of an OWA session compromise is so high
To communicate the urgency to non-technical stakeholders, it helps to itemise what an attacker actually gains from arbitrary JavaScript execution inside an authenticated OWA session. The bar chart below ranks the practical impact categories of a successful CVE-2026-42897 exploitation, from the most immediately damaging to the more secondary consequences.
The most dangerous of these is the combination of session hijacking and internal impersonation. Once an attacker can send email as a legitimate internal user — particularly a finance or executive account — they can run business email compromise (BEC) and invoice-fraud attacks that bypass the scepticism external phishing usually triggers. An email genuinely originating from your finance director’s real mailbox, sent from inside your own Exchange server, is extraordinarily difficult for staff and even for automated controls to flag. That is why an 8.1 “webmail XSS” translates in practice into a direct path to financial and data loss.
How many UK organisations are still exposed?
Microsoft does not publish a live figure for on-premises Exchange adoption in the UK SME market, and patch-adoption rates for Exchange Security Updates are notoriously lagging because SU deployment requires maintenance windows, cumulative-update prerequisites, and post-install validation. The donut below reflects a best-estimate of the share of on-premises Exchange installations still not on the June 2026 SU several weeks after release, based on historical Exchange patch-adoption benchmarks.
Exchange Security Update adoption has historically trailed release by weeks or months. A 30–40% un-updated share several weeks post-release is consistent with prior Exchange SU cycles — and each of those un-updated servers is now both exploitable and disconnected from future automatic mitigation. Crucially, this exposure is concentrated in exactly the organisations least equipped to respond: UK SMEs without a dedicated in-house Exchange administrator, often running Exchange 2016 or 2019 on ageing hardware, frequently unaware that ESU enrolment is now required to receive the fix at all.
The on-premises Exchange exposure grid — score yourself
Not every on-premises Exchange installation carries the same risk. The scorecard below sets out the eight factors that determine whether an organisation is at immediate risk from CVE-2026-42897, at risk from the EEMS cut-off and the next zero-day, or structurally cornered by out-of-support versions.
Any organisation scoring High on the first two rows is exposed right now: an internet-published OWA on an unpatched, un-enrolled legacy Exchange server is a direct target for an actively exploited flaw. But the more strategically important row is the last one. An organisation without a migration plan is not merely exposed to this CVE — it is committing to absorb every future Exchange zero-day on an out-of-support platform that is losing its automatic safety net.
The cost of staying on-premises versus moving to Microsoft 365
The direct and indirect costs of remaining on legacy on-premises Exchange have shifted sharply now that mainstream support has ended. The table below shows indicative annual cost and risk bands for UK organisations of different sizes, comparing the true cost of keeping legacy Exchange running against the managed-migration alternative.
| Organisation size | Typical legacy Exchange annual cost (hardware, ESU, admin, risk) | Indicative breach exposure if OWA exploited | Managed Microsoft 365 migration outlook |
|---|---|---|---|
| Micro (1–10 staff) | £3,000–£8,000 incl. ESU & ageing hardware | £10,000–£40,000 (BEC fraud, recovery, downtime) | Per-mailbox migration, days not weeks; ongoing M365 licensing |
| Small (10–50 staff) | £8,000–£20,000 incl. ESU, server refresh, patch labour | £40,000–£150,000 (data exfiltration, ICO exposure) | Batch mailbox migration over 1–3 weekends; zero-downtime cutover |
| Mid-market (50–250 staff) | £20,000–£60,000 incl. redundant servers, DR, ESU | £150,000–£750,000 (multi-account compromise, reputational) | Phased or hybrid migration; unified GAL and free/busy during cutover |
| Large (250–1,000 staff) | £60,000+ incl. multi-site Exchange estate & specialist staff | £500,000+ (regulatory, forensic, supply-chain trust damage) | Staged Exchange hybrid migration with runbook and dedicated PM |
These figures exclude the harder-to-quantify costs: the management attention consumed by every emergency Exchange patch weekend, the recruitment difficulty of retaining Exchange administrators as the platform shrinks, and the opportunity cost of running mail infrastructure at all when it delivers no competitive advantage. Exchange Online was never affected by CVE-2026-42897 — Microsoft patched the service centrally before most tenants were aware there was an issue. That single fact reframes the economics: the premium you pay for on-premises Exchange increasingly buys you more risk and operational burden, not more control.
Reactive on-premises Exchange versus a proactive Microsoft 365 posture
Reactive posture
What most UK SMEs on legacy Exchange do today
- Apply Exchange Security Updates weeks or months late, pending a maintenance window
- Discover ESU enrolment is required only when the patch will not install
- OWA published directly to the internet with no WAF in front
- Rely on EEMS auto-mitigation without confirming the server is still connected
- No OWA session or access-log review between incidents
- Every Exchange zero-day handled as a weekend emergency
- Ageing on-premises hardware carrying single points of failure
- No documented CE v3.3 14-day patching SLA for mail infrastructure
Proactive posture
Where Cloudswitched Cloud Email takes you
- Mail platform patched centrally by Microsoft — no server SU weekends
- No ESU cost, no end-of-support cliff, no hardware refresh cycle
- Exchange Online Protection, ATP anti-phishing and DLP built in
- SPF, DKIM and DMARC configured and maintained as standard
- Conditional access, MFA and session controls on every mailbox
- Zero-days handled by the vendor before most tenants are aware
- 99.9% cloud uptime SLA with no single on-premises point of failure
- CE v3.3 patching evidence trail maintained as a managed service
The 10-step Microsoft 365 migration plan every UK SME should run this week
This plan does two things at once. Steps 1–4 close the immediate CVE-2026-42897 exposure on your existing on-premises Exchange — because you must be safe today regardless of your longer-term direction. Steps 5–10 lay out a controlled, zero-downtime migration to Exchange Online and Microsoft 365, so that this is the last Exchange zero-day you ever have to firefight. Cloudswitched has delivered 200+ Microsoft 365 migrations and moved 20,000+ users, and this is the structure we follow.
Steps 1–4 are non-negotiable and must happen this week whatever else you decide — an actively exploited flaw does not wait for a migration project. Steps 5–10 turn a defensive scramble into a strategic exit: the point at which mail stops being infrastructure you own, patch and worry about, and becomes a managed service the vendor secures on your behalf. Step 8 is the one to respect above all — the MX cutover happens only after every mailbox is migrated and verified, which is what makes a zero-downtime migration possible.
Microsoft’s guidance for this flaw is explicit and easy to overlook: keep the CVE-2026-42897 mitigations applied even after installing the June 2026 Security Update. Administrators frequently remove interim mitigations once the “real” patch is in, on the assumption the mitigation is now redundant. For this vulnerability, Microsoft recommends leaving them in place as defence-in-depth. If you cannot apply the June SU immediately — for example, because your Exchange 2016/2019 estate is not yet ESU-enrolled — then, as a temporary measure, restrict internet access to OWA to trusted networks or place a web application firewall in front of it while you complete enrolment and patching. This is a stopgap, not a fix: the durable answer is to remove the on-premises OWA attack surface entirely by migrating to Exchange Online.
What the Exchange pattern tells UK businesses about mail security in 2026
CVE-2026-42897 is not an isolated incident but part of a sustained pattern of on-premises Microsoft server software being targeted through 2025 and 2026 — from Exchange and SharePoint to the wider Patch Tuesday volume UK IT teams now face every month. The common thread is that internet-exposed, on-premises enterprise servers are among the highest-value targets available to threat actors, precisely because so many organisations run them out-of-support, under-patched and under-monitored. The 43% of UK businesses that reported a breach in the last 12 months (Cyber Security Breaches Survey 2025/2026) are disproportionately those still carrying legacy infrastructure they cannot patch fast enough.
The strategic implication for UK SMEs is that mail is no longer a workload worth self-hosting. The three forces converging on legacy Exchange — active exploitation, the EEMS cut-off, and the end of mainstream support with paid-only ESU — will not reverse. Each is a one-way door. Microsoft’s own recommended paths are to upgrade to Exchange Server Subscription Edition or migrate to Exchange Online; for the overwhelming majority of UK SMEs, Exchange Online is the lower-cost, lower-risk destination, with security updates applied centrally, Exchange Online Protection built in, and no hardware or ESU liability. CVE-2026-42897 is best understood not as a patch to apply but as a prompt to act on a migration many UK SMEs have deferred for years.
At-a-glance reference: CVE-2026-42897 key facts
| Attribute | Detail |
|---|---|
| CVE identifier | CVE-2026-42897 |
| Vulnerability type | Cross-site scripting (XSS) in Outlook Web Access (OWA) |
| CVSS score | 8.1 high (Microsoft) — use this figure; NIST NVD scored 6.1 medium |
| Privileges required | None — remote, attacker sends a crafted email opened in OWA |
| Affected products | Exchange Server 2016 CU23, 2019 CU14/CU15, Exchange SE RTM |
| Not affected | Exchange Online / Microsoft 365 — already protected, no action needed |
| Patch | June 2026 Exchange Server Security Update, released 9 June 2026 |
| Interim mitigation | EEMS mitigation M2.1.0 — keep applied even after patching |
| Active exploitation | Since mid-May 2026; added to CISA KEV catalogue |
| Key deadline | July 2026 — servers not on June SU stop receiving new EEMS files |
| Support status | Exchange 2016/2019 out of mainstream support since October 2025; Period 2 ESU (May–Oct 2026) costs extra |
| UK compliance angle | NCSC 14-day patching guidance; Cyber Essentials v3.3 14-day SLA; ICO 72-hour breach notification |
Related articles from the Cloudswitched news series
CVE-2026-42897 sits within a broader 2026 pattern of on-premises enterprise software being exploited faster than UK SMEs can patch it. Our recent briefings connect directly: the SharePoint CVE-2026-45659 RCE exploit is the same story on Microsoft’s other flagship on-premises server — a critical flaw exploited within weeks of patching; the June 2026 Patch Tuesday (206 CVEs) shows the sheer volume of patch work that produces the 30–40% un-updated lag legacy Exchange servers fall into; the Oracle EBS CVE-2026-46817 payments exploit demonstrates the identical patch-diff reverse-engineering pattern on enterprise ERP; the Cyber Security and Resilience Bill sets out the tightening UK regulatory backdrop that makes documented 14-day patching non-optional; and the Scattered Spider TfL conviction illustrates how session and credential compromise — exactly what an OWA XSS enables — underpins the most damaging UK breaches. For the strategic view, the £2.5bn JLR cyberattack resilience plan shows the board-level cost of infrastructure that cannot be secured fast enough.
Still running on-premises Exchange? This is the moment to plan your exit.
CVE-2026-42897 is actively exploited, and from July 2026 un-updated Exchange servers no longer receive Microsoft’s automatic EEMS mitigations. Cloudswitched Cloud Email with Microsoft 365 has delivered 200+ managed migrations and moved 20,000+ users — with zero-downtime cutover, full SPF/DKIM/DMARC configuration, and no more Exchange patch weekends.
Talk to us about Cloud Email with Microsoft 365Frequently asked questions
Make CVE-2026-42897 the last Exchange zero-day you ever firefight
On-premises Exchange now means active exploits, paid ESU, and the loss of automatic EEMS mitigations from July 2026. Exchange Online was never affected. Cloudswitched Cloud Email with Microsoft 365 moves your mail to a platform Microsoft secures centrally — 200+ migrations delivered, 20,000+ users moved, zero-downtime cutover, and full email security configured as standard. If you are still on legacy Exchange, this is the week to plan the move.
Talk to us about Cloud Email with Microsoft 365


