June 2026 Patch Tuesday: Exchange OWA Zero-Day Exploited 28 Days Before the Patch

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2026-42897, a cross-site scripting flaw in Microsoft Exchange Server's Outlook Web Access component, was actively exploited in targeted attacks before Microsoft patched it on June 9, 2026; researcher Nightmare Eclipse published a working exploit for CVE-2026-47281 "RoguePlanet," a CVSS 9.6 Windows Defender privilege escalation, within hours of that same release.
June 2026 Patch Tuesday addresses 200 vulnerabilities across Windows, Exchange Server, Microsoft Office, Azure, Hyper-V, and Visual Studio Code, the largest single-month release in Microsoft history. The update includes 6 zero-day vulnerabilities: 5 publicly disclosed and 1 confirmed as actively exploited before the patch existed. CVE-2026-42897 is the actively exploited CVE. When a recipient opens a specially crafted email in Exchange OWA, embedded JavaScript executes in their authenticated browser session with no link clicks, no macro approvals, and no file downloads required. Exchange Online is not affected; only on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition carry the exposure.
Organizations with on-premises Exchange deployments face two compounding urgent threats today. CVE-2026-42897 has been in active use since at least May 14, 2026, meaning any OWA-accessible inbox was a potential entry point for session hijack or credential theft for 28 days before a fix existed. At the same time, CVE-2026-47281 means any attacker who already holds a foothold on a Windows endpoint can now escalate to SYSTEM-level privileges before most organizations have deployed the June 9 cumulative update. June 2026 Patch Tuesday is not a scheduled maintenance window; it is an active incident response requirement.
How Does CVE-2026-42897 Exchange OWA Exploitation Work?
CVE-2026-42897 is a cross-site scripting vulnerability in the Outlook Web Access component of Microsoft Exchange Server. OWA renders email content inside an authenticated browser session, which means any JavaScript that executes in that context runs with the full permissions of the logged-in user: their credentials, their session tokens, and their access to Exchange mailbox data.
The attack requires no user interaction beyond opening the email. An attacker sends a crafted email with obfuscated JavaScript embedded in the message body. When the recipient opens the email in OWA, the browser renders the content and executes the script. The JavaScript runs in the context of the victim's authenticated session without requiring them to click a link, enable macros, or download an attachment. This places CVE-2026-42897 in the near-zero-interaction category, the highest-value attack surface for initial access and account takeover campaigns.
Once JavaScript executes inside the victim's OWA session, an attacker can capture the authentication cookie, submit requests on behalf of the user through OWA's REST API, extract inbox contents, or redirect the session to a credential-harvesting page. Microsoft classifies CVE-2026-42897 as a spoofing vulnerability because session abuse and impersonation are the primary outcomes, but the underlying mechanism is stored or reflected XSS in the OWA rendering pipeline.
Exchange Online is not affected. The vulnerability exists only in on-premises Exchange Server deployments where OWA is accessible. Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition running OWA require the June 9 security update. Organizations that route email through Exchange Online but maintain on-premises hybrid deployments should verify whether their on-premises component processes OWA requests before assuming they are outside the impact scope.
What Is the RoguePlanet Zero-Day CVE-2026-47281?
CVE-2026-47281, tagged "RoguePlanet" by the researcher who discovered it, is a privilege escalation vulnerability in Microsoft Defender and Visual Studio Code with a CVSS score of 9.6. It is the highest-severity vulnerability in the June 2026 Patch Tuesday release.
RoguePlanet exploits improper input validation in the way Visual Studio Code interacts with Windows Defender components. An attacker who has already achieved initial code execution on a target system, through phishing, credential reuse, or any prior vulnerability, can use CVE-2026-47281 to escalate from a limited user account to SYSTEM, the highest available privilege level on a Windows endpoint. SYSTEM access enables an attacker to disable security software, create persistence mechanisms that survive reboots, access all files and processes on the machine, and move laterally through the network using the machine's stored credentials.
RoguePlanet is the second Windows Defender zero-day patched in 2026, following the previous Windows Defender zero-day patched earlier this year. Recurring Defender exploits across both H1 2026 releases point to sustained attacker focus on antimalware software as a privilege escalation vector, a trend Nightmare Eclipse explicitly cited in the disclosure commentary.
Nightmare Eclipse published RoguePlanet and three companion exploits, GreenPlasma (CVE-2026-45586), YellowKey (CVE-2026-45585), and Mini-Plasma (CVE-2020-17103), within hours of June 2026 Patch Tuesday's release. The disclosure was framed as a protest against Microsoft's patch timeline management. All four vulnerabilities were known to Microsoft and patched in this update, but public exploit availability immediately after patching compresses the window organizations have to deploy the fixes before exploitation becomes trivial.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
June 2026 Patch Tuesday: Complete Zero-Day Scope and Critical CVE Statistics
June 2026 Patch Tuesday sets a new single-month record for Microsoft with 200 CVEs addressed. The breakdown includes 33 critical-severity flaws, 55 remote code execution vulnerabilities, 65 elevation of privilege vulnerabilities, 30 information disclosure flaws, 19 security feature bypasses, and 7 denial-of-service vulnerabilities.
The six zero-days in this release are:
CVE-2026-42897: Exchange Server OWA cross-site scripting. Actively exploited before the June 9 patch. CVSS 8.1. Affects on-premises Exchange Server 2016, 2019, and Subscription Edition.
CVE-2026-47281 "RoguePlanet": Windows Defender and Visual Studio Code privilege escalation. CVSS 9.6. Requires initial code execution to reach SYSTEM. Published by Nightmare Eclipse post-patch.
CVE-2026-45585 "YellowKey": BitLocker security feature bypass. Publicly disclosed. Requires physical access; exploits Windows Recovery Environment to bypass BitLocker encryption.
CVE-2026-50507 "bitskrieg": BitLocker security feature bypass. Publicly disclosed. Similar WinRE exploitation mechanism to YellowKey. Systems showing boot errors after patching should run reagentc /disable then reagentc /enable.
CVE-2026-45586 "GreenPlasma": Windows Collaborative Translation Framework (CTFMON) elevation of privilege. Publicly disclosed. Grants SYSTEM privileges via a link-following flaw.
CVE-2026-49160 "HTTP/2 Bomb": Windows HTTP.sys denial of service. Publicly disclosed. Exploits HTTP/2 header compression to achieve resource exhaustion against IIS and HTTP.sys-dependent Windows services.
CVE-2020-17103 "Mini-Plasma": Windows Cloud Files elevation of privilege. Publicly disclosed, originally reported September 2020. Grants SYSTEM privileges. Its presence in a 2026 Patch Tuesday nearly six years after initial reporting reflects persistent gaps in Microsoft's vulnerability backlog.
The April 2026 Patch Tuesday addressed 178 vulnerabilities and 4 zero-days, establishing the recent pattern of monthly releases exceeding 150 CVEs.
“June Patch Tuesday marks a new normal with over 200 CVEs, 32 rated critical and an unprecedented mix of zero-days spanning privilege escalation, BitLocker bypass, and actively exploited web components.”
CSO Online analysis, June 2026
Who Is Actively Exploiting CVE-2026-42897 and What Is the Target Profile?
Microsoft confirmed CVE-2026-42897 was actively exploited in targeted attacks on May 14, 2026. The company did not attribute the exploitation to a specific threat actor or name a country of origin in its advisory. No specific threat actor attribution had been published by CISA, Microsoft, or major threat intelligence vendors as of June 11, 2026.
The attack vector and target profile are consistent with nation-state initial access campaigns. Exchange Server OWA is one of the most consistently targeted Microsoft products in advanced persistent threat operations. Russian-linked groups including Midnight Blizzard (APT29) and Seashell Blizzard exploited Exchange Server vulnerabilities for espionage from 2019 onward. Chinese state-linked actors including HAFNIUM conducted mass Exchange exploitation campaigns in 2021 and 2022. The pattern of an Exchange OWA zero-day exploited in targeted attacks against financial institutions and government agencies before patch availability fits the operational profile of an intelligence collection campaign rather than a ransomware operation.
Ransomware groups favor rapid lateral movement and mass deployment. Targeted Exchange OWA exploitation via crafted email, with no public disclosure and no broad scanning activity, is consistent with a persistent access campaign focused on credential theft and long-term surveillance.
Microsoft's Exchange Emergency Mitigation Service (EMES) automatically applied a URL rewrite configuration as an interim defense when Microsoft first confirmed exploitation on May 14. EMES is enabled by default on supported on-premises Exchange deployments. Organizations should verify the mitigation is active via Exchange Management Shell while deploying the full June 9 patch.
Any organization with on-premises Exchange Server exposing OWA, even on an internal network only, remains exposed to this attack from any attacker who has already achieved network access via a prior phishing campaign, VPN credential compromise, or supply chain attack.
IOCs and Detection Guidance for CVE-2026-42897 and RoguePlanet
No network-level indicators of compromise were published for CVE-2026-42897 or CVE-2026-47281 as of June 11, 2026. Microsoft and CISA have not released attacker infrastructure IPs, malware samples, or packet captures tied to confirmed exploitation of either vulnerability.
Detection for CVE-2026-42897 requires reviewing OWA access logs for anomalous request patterns. Exchange Server writes OWA activity to IIS logs at C:\inetpub\logs\LogFiles. Look for GET or POST requests to /owa/ paths that include encoded script sequences in request parameters, referrer headers, or cookie values during the May 14 through June 9, 2026 window. A successful XSS execution generates a subsequent authenticated API call from the victim's session to an attacker-controlled destination, which may appear as an outbound OWA request to an unfamiliar external host.
Verify Exchange Emergency Mitigation Service protection is active by running Get-ExchangeDiagnosticInfo -Server [ServerName] -Process EdgeTransport -Component MitigationService -Settings Mitigations in Exchange Management Shell. The presence of an active mitigation rule for CVE-2026-42897 confirms the URL rewrite protection is deployed.
For CVE-2026-47281, detection depends on Windows Event Log monitoring. A successful privilege escalation to SYSTEM generates Event ID 4672 and Event ID 4624. Investigate any process launched under NT AUTHORITY\SYSTEM that is a child of a Visual Studio Code or Windows Defender process and was not initiated by a system administrator account.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Remediate June 2026 Patch Tuesday Vulnerabilities
Follow these steps in order to close the CVE-2026-42897 and CVE-2026-47281 exposures today.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why June 2026 Patch Tuesday Demands Priority Patching This Week
June 2026 Patch Tuesday carries two parallel urgencies that make it qualitatively different from a standard monthly patching cycle. CVE-2026-42897 creates a historical exposure window that already happened: organizations with on-premises Exchange and OWA were reachable via a crafted email for 28 days before today's patch existed. Patching now stops future exploitation; it does not eliminate risk from sessions compromised between May 14 and June 9.
CVE-2026-47281 creates forward-looking risk. Any attacker who established persistent access on a Windows endpoint through a prior campaign now holds a freely available SYSTEM escalation tool valid until the cumulative update is deployed. A credential-stuffing victim from April, a phishing compromise from March, or a supply chain implant from earlier in 2026 each represent potential foothold positions that RoguePlanet can convert into SYSTEM-level control.
Researcher Nightmare Eclipse's coordinated public disclosure of four exploits simultaneously, framed as protest against Microsoft's vulnerability disclosure handling, is itself an intelligence indicator. Vulnerabilities disclosed in protest tend to be adopted rapidly by opportunistic attackers because public exploit code eliminates the barrier to weaponization. The window between public exploit release and mass exploitation has historically been measured in hours to days for high-severity Windows vulnerabilities.
The record 200-CVE June release is not an anomaly. CSO Online's analysis of this release describes 200-plus-CVE Patch Tuesdays as the new normal following changes in Microsoft's internal CVE tracking methodology. Security teams whose patching prioritization is calibrated to historical 80-to-150-CVE monthly releases need to reassess their response timelines for a baseline that now consistently exceeds that range.
The bottom line
June 2026 Patch Tuesday patches 200 CVEs, the largest Microsoft security release in history, including CVE-2026-42897, an Exchange OWA XSS zero-day exploited in targeted attacks since May 14, and CVE-2026-47281 RoguePlanet, a CVSS 9.6 Windows Defender privilege escalation published hours after the patches dropped. Three takeaways: Exchange Server 2016, 2019, and SE need the Exchange-specific security update, not just the Windows cumulative update; EMES mitigation provides partial protection but does not replace the full patch; and BitLocker-protected systems need reagentc remediation steps if boot errors appear after patching. Apply the Exchange June security update and Windows cumulative update before end of business today.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-42897?
CVE-2026-42897 is a cross-site scripting vulnerability in the Outlook Web Access component of Microsoft Exchange Server, rated CVSS 8.1 and confirmed actively exploited before the June 9, 2026 patch. When a recipient opens a specially crafted email in OWA, embedded JavaScript executes in their authenticated browser session without any additional user interaction. This allows an attacker to steal session tokens, submit requests on behalf of the victim, or redirect the session to a credential harvesting page. Exchange Online is not affected.
Is Exchange Online affected by CVE-2026-42897?
No. CVE-2026-42897 affects only on-premises Microsoft Exchange Server deployments: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Microsoft's cloud-hosted Exchange Online service does not carry this vulnerability. Organizations that have fully migrated to Exchange Online do not need to apply a patch for CVE-2026-42897. Hybrid deployments that maintain an on-premises Exchange component for OWA or specific routing functions should verify whether their on-premises servers are in scope.
What is the RoguePlanet zero-day?
RoguePlanet is the informal name for CVE-2026-47281, a CVSS 9.6 privilege escalation vulnerability in Microsoft Defender and Visual Studio Code. It exploits improper input validation in the way VS Code interacts with Defender components, allowing an attacker who already has limited code execution on a Windows system to escalate to SYSTEM, the highest Windows privilege level. Microsoft patched it in June 2026 Patch Tuesday. Security researcher Nightmare Eclipse published a working exploit within hours of the patch release.
How do I apply the June 2026 Patch Tuesday update to Exchange Server?
Exchange Server security updates must be applied separately from the Windows cumulative update. Download the Exchange Server 2016, 2019, or Subscription Edition June 2026 Security Update from the Microsoft Update Catalog or deploy it through WSUS. After installation, run the Exchange setup command with the /PrepareAD and /PrepareAllDomains flags if required by your deployment, then restart the Microsoft Exchange services. Verify EMES mitigation status via Exchange Management Shell before and after patching to confirm CVE-2026-42897 protection.
How does the Exchange OWA zero-day work without the user clicking anything?
CVE-2026-42897 works because Exchange OWA renders email content directly in an authenticated browser session. The vulnerability is a cross-site scripting flaw in the OWA rendering pipeline that fails to sanitize JavaScript embedded in email content. When OWA renders a crafted email, the browser executes the embedded script in the context of the victim's active session. No link click or file download is required because the script is part of the email body rendered by OWA, not an external resource the victim must consciously access.
What does actively exploited mean for CVE-2026-42897?
Actively exploited means Microsoft observed real attackers using CVE-2026-42897 in live attacks against organizations before a patch was available. Microsoft confirmed exploitation on May 14, 2026. The vulnerability was weaponized in targeted campaigns against financial institutions and government agencies. Actively exploited status in a CVE advisory means the vulnerability is not theoretical; it has been used to compromise real systems, and organizations with exposed Exchange OWA instances must treat remediation as urgent.
What is a BitLocker security feature bypass vulnerability?
A BitLocker security feature bypass allows an attacker to access the contents of a BitLocker-encrypted drive without the encryption key. CVE-2026-45585 YellowKey and CVE-2026-50507 bitskrieg both exploit the Windows Recovery Environment to bypass BitLocker during a recovery boot sequence. Both require physical access to the target machine, making them primarily relevant to scenarios involving lost or stolen devices. Organizations using BitLocker to protect sensitive data on endpoints should apply the June 2026 cumulative update to close both bypasses.
How do I verify my system has the June 2026 Patch Tuesday update installed?
Open Settings, select Windows Update, and check Update History for the June 9, 2026 cumulative update. For Exchange Server, run Get-ExchangeServer | Format-List Name,AdminDisplayVersion in Exchange Management Shell and compare the version number against Microsoft's published June 2026 build number for your Exchange version. For Visual Studio Code, open VS Code, navigate to Help, select About, and confirm the version matches the June 2026 release. Run winver from a command prompt to verify the Windows build number reflects the June cumulative update.
Sources & references
- NVD: CVE-2026-42897 Detail
- BleepingComputer: Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws
- Help Net Security: Exchange Server CVE-2026-42897 exploited before patch
- SecurityWeek: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
- Zero Day Initiative: The June 2026 Security Update Review
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
