CISA adds CVE-2026-42897 Exchange XSS

CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting flaw, to its Known Exploited Vulnerabilities catalog on May 15, putting the bug on the U.S. agency’s list of vulnerabilities confirmed to have been used in real-world attacks. (nvd.nist.gov) The entry says the flaw affects Microsoft Exchange Server and directs organizations to apply vendor mitigations, follow Binding Operational Directive 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. (techcommunity.microsoft.com) Microsoft disclosed the vulnerability a day earlier, on May 14, in a post from the Exchange Team. The company said the issue affects Outlook Web Access on on-premises Exchange Server and can be triggered when an attacker sends a specially crafted email that a user later opens in OWA under certain interaction conditions. (nvd.nist.gov) NIST’s National Vulnerability Database describes CVE-2026-42897 as improper neutralization of input during web page generation, or cross-site scripting, in Microsoft Exchange Server that allows an unauthorized attacker to perform spoofing over a network. (nvd.nist.gov) The NVD page also shows Microsoft assigned the flaw a CVSS 3.1 base score of 8.1, while NIST had not yet completed its own assessment. ### Which Exchange systems did Microsoft say are affected? Microsoft said Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition are affected at any update level. The company said Exchange Online is not affected. (techcommunity.microsoft.com) The Microsoft post ties the issue specifically to Exchange Outlook Web Access, the browser-based interface often used to read email. The attack path Microsoft described requires a user to open the malicious message in OWA, after which arbitrary JavaScript can run in the browser context if the stated interaction conditions are met. (nvd.nist.gov) ### What exactly did CISA require after adding the bug to KEV? CISA’s KEV-linked guidance on the NVD entry lists May 29, 2026, as the due date for action. The required action says users should apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. (techcommunity.microsoft.com) CISA says the KEV catalog is the authoritative source of vulnerabilities exploited in the wild and that organizations should use it as an input to vulnerability management prioritization. The catalog page does not itself explain the attacks tied to CVE-2026-42897, but the listing confirms CISA determined exploitation had occurred. (techcommunity.microsoft.com) ### What mitigation did Microsoft tell Exchange administrators to use? Microsoft said its recommended option is the Exchange Emergency Mitigation Service, or EM Service. The company said it had already released an automatic mitigation for Exchange Server 2016, 2019 and Subscription Edition, and that the mitigation is enabled automatically for customers with the service turned on. (nvd.nist.gov) The Exchange Team said administrators can verify the mitigation by checking for mitigation ID “M2.1.x.” Microsoft also said organizations that cannot use EM Service, including disconnected or air-gapped environments, can apply the mitigation through the Exchange on-premises Mitigation Tool. (cisa.gov) ### Why is this being described as both XSS and spoofing? NIST labels the underlying weakness as CWE-79, the standard category for cross-site scripting. Microsoft’s advisory and the NVD description, however, describe the impact as spoofing over a network, reflecting how the browser-side script execution can be used in practice. (techcommunity.microsoft.com) The scoring details on the NVD page show a difference between Microsoft’s and NIST’s current treatment of the bug. Microsoft’s CNA record assigns a CVSS 3.1 score of 8.1 and marks the flaw high severity, while NIST’s own CVSS 3.x assessment on the page was 6.1 and its CVSS 4.0 assessment was not yet provided. (techcommunity.microsoft.com) ### What should organizations watch next? May 29, 2026, is the deadline attached to the KEV entry for federal civilian agencies under CISA’s process, according to the NVD listing. Microsoft said customers can use the Exchange Health Checker script to confirm whether the mitigation has been applied and can use its Exchange build-number documentation to determine whether servers are on supported versions for EM Service checks. (nvd.nist.gov)