Exchange Server OWA zero-day:
time to leave on-prem behind

What happened

On 14 May 2026 Microsoft disclosed CVE-2026-42897, an XSS/spoofing vulnerability affecting Outlook Web Access (OWA) on on-premises Exchange Server 2016, 2019 and Subscription Edition. The severity is rated 8.1 on the CVSS scale. The exploit is triggered by crafted emails through the simple rendering of the message inside OWA and is being actively used in the wild.

On 18 May 2026 CISA (Cybersecurity and Infrastructure Security Agency) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog, with a remediation deadline for US federal agencies. This is the official signal that exploitation is already ongoing. Microsoft has not released a definitive patch yet: only a mitigation guide is available on the Tech Community.

Who is impacted (and who is not)

All on-premisesinstallations of Exchange Server 2016, 2019 and Subscription Edition are vulnerable. Exchange Online — the mail service included in Microsoft 365 — is not impacted: for cloud tenants the mitigations have already been applied by Microsoft at service level.

The picture is significant for many Italian SMEs: an on-prem Exchange Server is often years old, tightly integrated with corporate Active Directory, hard to keep patched and — precisely because of that infrastructure inertia — remains in production even when the vendor no longer guarantees the same quality of service as the cloud. A vulnerability like CVE-2026-42897 hits exactly these scenarios.

What to do right now

If your company still runs an on-prem Exchange Server, the following actions should be started today:

• 1Apply the Microsoft mitigation guide— follow the instructions published on the Tech Community for CVE-2026-42897 and make sure the latest Cumulative Updates are installed. Mitigation is the minimum baseline to shrink the exposure window.
• 2Review OWA logs and recent access— look for anomalies in webmail logins, attempts to render suspicious messages and unexpected behaviour of administrative accounts. A potential compromise may have already happened.
• 3Rotate privileged credentials and secrets— in case of doubt, change passwords and secrets for Exchange and domain admin accounts, revoke active sessions and review any recently created auto-forward rules.
• 4Layer a modern email protection— reducing the chance that a malicious email ever reaches the user is the first line of defence: our ATWS Email Security Gateway service, qualified by the ACN (Italian National Cybersecurity Agency) at level QC1, filters spam, phishing and malicious payloads before they enter the company.
• 5Plan the migration to Microsoft 365— the structural fix is to leave on-prem behind. Below you find the way ATWS frames the journey.

Why Exchange on-prem is unsustainable today

Every Exchange Server on-premises means owning the full attack surface yourself: monthly updates, mitigations for zero-days like this one, OWA hardening, log monitoring, certificate management and Active Directory integrations. In SMEs without a structured IT team, this work often translates into late patches, dated configurations and services exposed to known vulnerabilities. The actual TCO (licences, hardware, maintenance, staff, incident response) almost always exceeds the cost of a Microsoft 365 subscription.

In the cloud, platform responsibility belongs to Microsoft: updates, mitigations and infrastructure protection are part of the service. SMEs can focus on their own security configuration (Conditional Access, MFA, Defender) instead of chasing every CVE advisory. This is exactly what CVE-2026-42897 highlights: those who run on Exchange Online had nothing to do; those who run on-prem must rush.

How ATWS handles the migration to Microsoft 365

AtWorkStudio supports SMEs in the transition from Exchange on-prem to Microsoft 365 with an operational approach. We start with an assessment of the current environment (number of mailboxes, historical archives, mail rules, application integrations, AD dependencies), define the migration strategy (rapid cut-over for small scenarios, progressive hybrid for complex environments) and follow the customer all the way to the decommissioning of the on-prem server. Small migrations can be completed even in a single day; complex environments take weeks or months and require a controlled hybrid coexistence phase.

On the security side, we layer two ACN QC1-qualified services on top of the migration: ATWS Email Security Gateway for perimeter mail protection and ATWS Secure Backup Microsoft 365 for independent backup of mailboxes, OneDrive and SharePoint — two layers of defence that the baseline Microsoft 365 tenant does not include. We operate from Piacenza since 2000, are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster.