TechnologyUS

CVE-2026-42897

Microsoft Exchange OWA zero-day on CISA KEV with no permanent patch by the 29 May 2026 deadline.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

What happens when a federal deadline to fix an Exchange flaw arrives but Microsoft has no patch?

Common Questions

What is CVE-2026-42897 in Microsoft Exchange?: CVE-2026-42897 is a cross-site scripting zero-day in Exchange Server's Outlook Web Access, rated CVSS 8.1. CISA added it to the KEV catalogue on 15 May 2026 with a 29 May federal deadline, but Microsoft had no permanent patch by that date.Source: CISA KEV, May 2026
Is there a patch for CVE-2026-42897 in Exchange?: As of the 29 May 2026 federal deadline, Microsoft had not released a permanent patch. The only available mitigation is enabling the Exchange Emergency Mitigation Service (EEMS), which applies configuration-level workarounds automatically.Source: Microsoft Exchange advisory, May 2026
What is the Exchange Emergency Mitigation Service?: EEMS is a Microsoft service that automatically applies interim security mitigations to Exchange Server without requiring a full cumulative update. It is designed to buy time between vulnerability disclosure and permanent patch availability.Source: event

Background

CVE-2026-42897 is a cross-site scripting (XSS) zero-day in Microsoft Exchange Server's Outlook Web Access (OWA) interface, assigned a CVSS score of 8.1. CISA added it to the Known Exploited Vulnerabilities catalogue on 15 May 2026, issuing a federal remediation deadline of 29 May 2026. As of that deadline, Microsoft had not shipped a permanent patch; the only available mitigation was enabling the Exchange Emergency Mitigation Service (EEMS), an automated workaround mechanism that deploys configuration-level mitigations without requiring a full patch cycle.

The deadline-without-patch scenario is a recurring pattern for Microsoft Exchange. A similarly structured situation arose earlier in 2026, and several analogous cases appear in the KEV record going back to 2021. Exchange Server holds a privileged position on corporate networks, handling authentication tokens, email content, and calendar data; OWA exposure compounds this because it presents an internet-facing attack surface reachable without a VPN. An XSS in OWA can be chained with other vulnerabilities to steal session tokens or escalate access.

The structural tension between CISA's mandate to impose remediation deadlines and vendors' patch timelines is made visible by CVE-2026-42897. Federal civilian agencies (FCEB) are legally required to meet BOD 22-01 deadlines; the EEMS workaround provides a compliant-but-partial response. For private organisations not bound by FCEB rules, the absence of a permanent patch means the risk decision rests entirely with their own risk-management frameworks.

Source Material

Exchange Emergency Mitigation Service — Microsoft Docs CISA KEV Catalogue

How the World Sees Them

Microsoft

Repeated deadline-before-patch situations for Exchange erode enterprise confidence; Microsoft faces pressure to accelerate Exchange patching cadence or provide clearer timelines at KEV listing.

United States

FCEB agencies must meet BOD 22-01 compliance by 29 May; EEMS provides a technically compliant interim measure, but organisations face residual risk until a permanent patch is issued.

Enterprise IT globally

On-premises Exchange deployments not covered by FCEB rules must make their own risk decisions; the absence of a patch means the effective mitigation is OWA access restriction or EEMS enablement.