CVE-2026-42897: Exchange’s OWA mitigations and the OWACalendar.Proxy noise

If you run on-premises Exchange and you have been living inside CVE-2026-42897 this week, the headline risk is not subtle: Outlook Web Access can run attacker-controlled JavaScript in a victim’s browser when they open a specially crafted message, under conditions Microsoft spells out in its disclosure. Microsoft disclosed the issue May 14, 2026, flagged active exploitation, and pointed admins at the Exchange Emergency Mitigation (EM) Service first, with EOMT.ps1 for disconnected boxes (Exchange team blog). CISA added the CVE to its Known Exploited Vulnerabilities list May 15 (CISA alert).

Today's update to that same guidance post is operator-facing, not user-facing: Microsoft added a new known issue that shows up as telemetry rather than as another OWA rendering glitch.

What changed in the vendor note today

The Exchange team keeps a running “Updates to this blog post” changelog at the bottom of its mitigation article. Today’s addition says that once the mitigation is in place, OWACalendar.Proxy can start reporting unhealthy in the OWACalendar.Proxy healthset, which matters if you alert on Exchange health probes or feed those signals into a central SOC queue (same Exchange post, changelog dated 5/17/2026).

Microsoft’s own wording there is practical: if your monitoring stack treats that healthset as a pageable incident, you may be staring at new red that tracks the mitigation, not a fresh compromise. Their suggested posture is to ignore or tune those alerts until a proper security update ships and the emergency mitigation comes off.

False-positive storms are how teams learn to mute whole classes of signals, which is worse long-term than one noisy week if you document the exception.

Quick facts on the vulnerability (no melodrama)

• Scope: Exchange Server 2016, 2019, and Subscription Edition on premises; Exchange Online is out of scope per Microsoft’s post.
• Shape: Cross-site scripting in OWA, not a kernel bug and not “mystery RCE from SMTP alone.” The danger model is still serious for OWA users because the browser session is high value (mail, attachments, internal links, password managers, SSO cookies, depending on your org’s OWA posture).
• Mitigation ID: Microsoft refers to the automatic EM payload as M2.1.x in the article; EM has been on by default since 2021 for many installs, but air-gapped or deliberately disabled setups need the scripted EOMT path instead.

Known mitigation costs you should budget in prose, not only in tickets

Microsoft already listed user-visible side effects: inline images can mis-render in the reading pane, print calendar in OWA can break, OWA light misbehaves, and there is a cosmetic glitch where mitigation details text can look wrong even when status reads Applied. Today’s add is the operator-facing cousin: healthset noise.

Permanent patches were still in flight at the time of that article: Microsoft said it would ship updates for SE RTM, 2019 CU14/CU15, and 2016 CU23, with the familiar Extended Security Updates caveat that 2016/2019 fixes go to Period 2 ESU customers only. If your org is limping on an old cumulative update, the post’s nudge to move up before the patch train arrives is the rare case where “read the vendor blog” and “read your change calendar” are the same task.

What I would verify on a real fleet

These are checklists, not novel research:

1. EM coverage: confirm EM is enabled, can reach Microsoft’s mitigation feed on your cadence, and that M2.1.x shows Applied using Microsoft’s Health Checker / EEMS section (Learn docs linked from the Exchange post).
2. Monitoring: if OWACalendar.Proxy just started failing, compare first seen to mitigation rollout before you treat it as a new attack stage.
3. User comms: attach images as files where inline rendering matters; steer heavy calendar printing to desktop Outlook until the mitigation lifts.
4. Patch readiness: line up CU/ESU prerequisites now so you are not arguing about procurement the day the SU drops.

Sources

• Microsoft Tech Community: Addressing Exchange Server May 2026 vulnerability CVE-2026-42897 (initial May 14, 2026 post; revised May 17, 2026 including OWACalendar.Proxy healthset note)
• CISA: Adds one known exploited vulnerability to catalog (May 15, 2026 release date; lists CVE-2026-42897)
• CVE Program record: CVE-2026-42897
• Microsoft MSRC Security Update Guide entry for CVE-2026-42897
• The Register: Exploited Exchange Server flaw turns OWA inboxes into script launchpads (May 15, 2026)