CISA Flags Actively Exploited Microsoft Exchange Zero-Day

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical Microsoft Exchange Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2026-42897 and carrying a CVSS score of 8.1, is being actively exploited in the wild, prompting urgent warnings to both federal agencies and private organizations.

What Is CVE-2026-42897?

CVE-2026-42897 is classified as an improper neutralization of input during web page generation — more commonly known as a Cross-Site Scripting (XSS) vulnerability — within Microsoft Exchange Server. The flaw allows an unauthorized attacker to perform spoofing attacks over a network. According to Microsoft’s advisory, the vulnerability specifically targets Outlook Web Access (OWA), the browser-based interface used by millions of corporate users worldwide.

Attackers can exploit this flaw by crafting a malicious email that, when opened inside Outlook Web Access, executes malicious JavaScript code under specific conditions — making phishing-style delivery a viable and low-noise attack vector.

Active Exploitation Confirmed

Microsoft confirmed active exploitation of CVE-2026-42897 in the wild shortly before CISA’s catalog update. However, neither Microsoft nor CISA has disclosed specific details about the threat actors behind the attacks or the sectors being targeted. What is clear is that the vulnerability surfaced just two days after Microsoft’s May 2026 Patch Tuesday release — which addressed 138 separate vulnerabilities — leaving a narrow but dangerous window of exposure.

Because no permanent security patch was immediately available at the time of disclosure, Microsoft released temporary mitigation measures and urged administrators to apply them immediately to reduce attack surface exposure.

Why Exchange Server Zero-Days Are So Dangerous

Exchange Server sits at the heart of corporate communication infrastructure, making any zero-day targeting it especially high-value for threat actors. On-premises Exchange deployments are frequently internet-facing, meaning exploitation can begin before a patch is even developed.

When OWA is involved, the risk escalates further. A browser-based attack surface means threat actors can use simple, convincing phishing emails to trigger execution — in some scenarios, merely opening a weaponized email is sufficient to compromise the victim’s session.

Once inside an Exchange environment, attackers can read emails and attachments, steal credentials, reset passwords, pivot into connected systems, and establish persistent access through mail rules or stolen authentication tokens. These capabilities make Exchange zero-days a recurring favorite in both cyber espionage operations and ransomware campaigns.

Federal Mandate and Recommended Actions

Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to remediate vulnerabilities listed in the KEV catalog by their specified deadlines. For CVE-2026-42897, CISA has set the remediation deadline as May 29, 2026.

While this directive applies directly to federal agencies, CISA strongly recommends that private sector organizations also review the KEV catalog and take immediate action to address any listed vulnerabilities present within their infrastructure.

What You Should Do Now

Organizations running Microsoft Exchange Server — particularly on-premises deployments with OWA enabled — should take the following steps without delay: apply Microsoft’s published temporary mitigations immediately, monitor official Microsoft and CISA channels for a permanent patch release, review email gateway and web access logs for indicators of compromise, and consider restricting external access to OWA until a full patch is available. The combination of active exploitation and a delayed permanent fix makes this one of the more urgent vulnerabilities of 2026 so far.