The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical Microsoft Exchange Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2026-42897 and carrying a CVSS score of 8.1, is being actively exploited in the wild, prompting urgent warnings to both federal agencies and private organizations.<\/p>\n
CVE-2026-42897 is classified as an improper neutralization of input during web page generation \u2014 more commonly known as a Cross-Site Scripting (XSS) vulnerability \u2014 within Microsoft Exchange Server. The flaw allows an unauthorized attacker to perform spoofing attacks over a network. According to Microsoft’s advisory, the vulnerability specifically targets Outlook Web Access (OWA), the browser-based interface used by millions of corporate users worldwide.<\/p>\n
Attackers can exploit this flaw by crafting a malicious email that, when opened inside Outlook Web Access, executes malicious JavaScript code under specific conditions \u2014 making phishing-style delivery a viable and low-noise attack vector.<\/p>\n
Microsoft confirmed active exploitation of CVE-2026-42897 in the wild shortly before CISA’s catalog update. However, neither Microsoft nor CISA has disclosed specific details about the threat actors behind the attacks or the sectors being targeted. What is clear is that the vulnerability surfaced just two days after Microsoft’s May 2026 Patch Tuesday release \u2014 which addressed 138 separate vulnerabilities \u2014 leaving a narrow but dangerous window of exposure.<\/p>\n
Because no permanent security patch was immediately available at the time of disclosure, Microsoft released temporary mitigation measures and urged administrators to apply them immediately to reduce attack surface exposure.<\/p>\n
Exchange Server sits at the heart of corporate communication infrastructure, making any zero-day targeting it especially high-value for threat actors. On-premises Exchange deployments are frequently internet-facing, meaning exploitation can begin before a patch is even developed.<\/p>\n
When OWA is involved, the risk escalates further. A browser-based attack surface means threat actors can use simple, convincing phishing emails to trigger execution \u2014 in some scenarios, merely opening a weaponized email is sufficient to compromise the victim’s session.<\/p>\n
Once inside an Exchange environment, attackers can read emails and attachments, steal credentials, reset passwords, pivot into connected systems, and establish persistent access through mail rules or stolen authentication tokens. These capabilities make Exchange zero-days a recurring favorite in both cyber espionage operations and ransomware campaigns.<\/p>\n
Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to remediate vulnerabilities listed in the KEV catalog by their specified deadlines. For CVE-2026-42897, CISA has set the remediation deadline as May 29, 2026.<\/p>\n
While this directive applies directly to federal agencies, CISA strongly recommends that private sector organizations also review the KEV catalog and take immediate action to address any listed vulnerabilities present within their infrastructure.<\/p>\n
Organizations running Microsoft Exchange Server \u2014 particularly on-premises deployments with OWA enabled \u2014 should take the following steps without delay: apply Microsoft’s published temporary mitigations immediately, monitor official Microsoft and CISA channels for a permanent patch release, review email gateway and web access logs for indicators of compromise, and consider restricting external access to OWA until a full patch is available. The combination of active exploitation and a delayed permanent fix makes this one of the more urgent vulnerabilities of 2026 so far.<\/p>\n","protected":false},"excerpt":{"rendered":"
CISA has added CVE-2026-42897, an actively exploited Microsoft Exchange Server XSS vulnerability, to its Known Exploited Vulnerabilities catalog. Federal agencies have until May 29, 2026 to remediate the flaw, which enables spoofing attacks via Outlook Web Access.<\/p>\n","protected":false},"author":2,"featured_media":174,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"class_list":["post-175","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zeroday"],"yoast_head":"\n