Microsoft’s June 2026 Exchange Server Updates Fix OWA XSS Vulnerability
The latest Exchange Server update addresses web access risks and introduces requirements for continued mitigation support.
Key Takeaways:
- The OWA XSS flaw allows attackers to execute malicious scripts via email.
- This fix applies to Exchange Server 2016, 2019, and Subscription Edition.
- Systems must be updated to continue receiving new mitigations after July 2026.
Microsoft has rolled out the June 2026 security updates for Exchange Server. These patches are intended to strengthen email security and compliance in on-premises environments.
The June 2026 updates address various vulnerabilities, including CVE‑2026‑42897, identified through internal checks and external security reporting. CVE‑2026‑42897 is a high‑severity security flaw in Microsoft Exchange Server (2016, 2019, and Subscription Edition) caused by improper handling of user input in Outlook Web Access (OWA), which leads to a cross‑site scripting (XSS) vulnerability.
This flaw allows a remote attacker to send a specially crafted email that, when opened by a user in a web browser, can execute malicious JavaScript in that user’s session. It can enable actions such as impersonation, data theft, or unauthorized access to the mailbox without requiring prior authentication on the attacker’s side.
Affected Exchange Server versions and ESU limitations
Microsoft mentioned that these updates are available for Exchange Server Subscription Edition (SE), Exchange Server 2019, and Exchange Server 2016. However, Exchange Server 2016 and 2019 are already out of support, and only customers enrolled in the Extended Security Update (ESU) program (Period 2) are eligible to receive security patches released between May and October 2026. Microsoft advises other customers to upgrade to Exchange Server Subscription Edition (SE).
“Due to service-side change, the Exchange Emergency Mitigation (EM) and Exchange Flighting services will be unable to use configuration files released in July 2026 or later, unless Exchange is updated to June 2026 update (or newer). Any mitigations already downloaded and applied will keep working, but servers will not be able to use any new mitigations starting in July 2026 unless updates are installed,” the Exchange team explained.
Microsoft recommends that administrators begin by assessing their Exchange environment using the Exchange Health Checker script to identify any missing updates or configuration issues. Moreover, they should then install the latest cumulative and security updates and restart the server to ensure changes take effect. IT admins must verify that all services are running correctly and use available troubleshooting tools to resolve any problems encountered during or after the update process.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...