Lead Story | Active Exploitation — Zero-Day · No Patch Available | CVSS 8.1 (High) · Enterprise · IT Ops |
|
Exchange OWA Zero-Day CVE-2026-42897: A Crafted Email Delivers JavaScript to the Browser — No Patch, CISA KEV, and Automatic Mitigation You May Have Turned Off
Microsoft confirmed active exploitation of an unpatched cross-site scripting flaw in on-premises Exchange’s Outlook Web Access on May 14. A crafted email opened in OWA executes attacker JavaScript in the victim’s browser, capturing live session tokens. Exchange Online is not affected. On-prem Exchange 2016, 2019, and SE are.
CVE-2026-42897 is a spoofing vulnerability rooted in a cross-site scripting flaw in Exchange Server’s Outlook Web Access interface. Delivering a crafted email is the attack surface — when the recipient opens it in OWA, attacker-controlled JavaScript runs in the browser context and captures the active session token. That token provides authenticated access to the victim’s mailbox and any OWA-federated internal systems without requiring a password. Microsoft confirmed active exploitation in the wild on May 14, 2026; CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15, confirming the exploitation signal. Microsoft Exchange Team → Bleeping Computer →
No patch has been released. Microsoft’s Exchange Emergency Mitigation Service (EM Service) has deployed an automatic mitigation rule to affected servers — organisations with the EM Service enabled and connected to the internet received it automatically. Organisations that have disabled the EM Service, that operate Exchange in isolated or restricted network environments, or that have not verified the mitigation was applied must follow Microsoft’s manual workaround procedure from the May 14 advisory. Session tokens stolen via this flaw do not trigger MFA re-challenges on existing sessions, which means token theft is silent unless OWA session activity monitoring is in place. Affected versions: on-premises Exchange Server 2016, 2019, and Subscription Edition. Exchange Online users are not affected.
→ Key Takeaway Confirm the Exchange Emergency Mitigation Service is enabled and has applied the May 14 mitigation rule on every on-premises Exchange server in your environment. Until a patch is available, restrict OWA access to corporate networks or VPN where feasible. Ask your team: is the EM Service running and connected, and are any OWA-facing servers internet-exposed without the mitigation applied? HARDENED does not endorse or recommend specific vendors. Tools are listed for awareness only. |
Quick Hits
| 01 |
node-ipc Supply Chain Attack: A Domain Expiry Handed an Attacker npm Publish Rights — Three Malicious Versions Harvested AWS Keys, SSH Keys, and Claude AI Configs
On May 14, three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published to npm. The attacker gained publish rights by re-registering a maintainer’s expired email domain on May 7, then triggering a standard npm password reset — no phishing, no credential theft. The payload fires on every require(‘node-ipc’) call, harvesting SSH keys, AWS, Azure, and GCP credentials, Terraform state, GitHub CLI configs, Claude AI and Kiro IDE settings, and database passwords, then exfiltrating them via DNS TXT queries and HTTPS POST to attacker-controlled infrastructure — DNS is used as a secondary channel that bypasses perimeter HTTP monitoring. node-ipc has over 822,000 weekly downloads; the three versions were live for roughly two hours before removal. Any CI/CD pipeline or developer workstation that ran npm install against a loose semver dependency on node-ipc in the 9.x or 12.x range on or after May 14 should be treated as compromised — audit your lockfiles and rotate all secrets from affected builds immediately. The Hacker News → StepSecurity →
| Critical — Supply Chain · Developer Credential Theft | Dev · Cloud+DevOps |
|
CVE Watch
|
CVE Watch
CVE-2026-40361 (Microsoft Word/Outlook): A Zero-Click RCE Triggered by the Preview Pane — Receiving the Email Is Enough, Patched in May 12 Patch Tuesday
CVE-2026-40361 is a use-after-free remote code execution vulnerability in a rendering library shared by Microsoft Word and Outlook, patched in the May 12, 2026 Patch Tuesday update. The Outlook Preview Pane is an attack vector: a crafted email rendered for display executes attacker code under the recipient’s privileges — no click, no file open, no macro prompt. Successful exploitation provides access to the user’s stored credentials, email contents, and local file system. Microsoft rated CVE-2026-40361 CVSS 8.4 (High) with a Microsoft severity of Critical, and flagged exploitation as “more likely.” The patch covers Office 2016, 2019, 2021, 2024, and Microsoft 365 Apps. Confirm May 12 Office updates are installed across all endpoints — on an unpatched system, displaying a malicious email in the Preview Pane is sufficient for compromise. SecurityWeek → Malwarebytes →
| Vendor: Microsoft · CVE: CVE-2026-40361 · CVSS: 8.4 (High) · Microsoft severity: Critical · Affected: Microsoft Word / Outlook (Office 2016, 2019, 2021, 2024, M365) · Fix: May 12, 2026 Patch Tuesday · Exploitation: Not confirmed in wild — “exploitation more likely” (Microsoft) |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.AA-01 — Protect: Authentication & Access Control
OWA Session Token Lifetime Is an Administrative Setting — CVE-2026-42897 Makes It a Risk Decision
CVE-2026-42897 steals live OWA session tokens, not passwords — the token is already authenticated, so MFA re-challenges do not apply to the stolen session. NIST PR.AA-01 (identities and credentials for authorized users, services, and hardware are managed by the organization) covers the governance decisions that bound this risk: how long a credential is valid, what triggers its revocation, and whether an organization can detect when a stolen credential is in use. Generous OWA session timeouts that made sense for remote-worker convenience now extend the window an attacker holds a stolen token. Concrete action (PR.AA-01): Review your on-premises Exchange OWA session timeout configuration — on Exchange 2016 and 2019, timeout is controlled via the PrivateTimeout and PublicTimeout registry values under HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA — and reduce it to the minimum your operational workflows support; confirm that OWA access is restricted to corporate networks or VPN rather than open to the internet, and verify that session activity logging is forwarding to your SIEM so stolen-token use is detectable. NIST CSF 2.0 reference: nist.gov/cyberframework.
|
|
