
CVE-2026-42897
Microsoft Exchange OWA zero-day on CISA KEV with no permanent patch by the 29 May 2026 deadline.
Last refreshed: 29 May 2026 · Appears in 1 active topic
What happens when a federal deadline to fix an Exchange flaw arrives but Microsoft has no patch?
Timeline for CVE-2026-42897
Provided path traversal capability following the access-control bypass
Cybersecurity: Threats and Defences: Triple CVSS-10 Ubiquiti chain hits rootMentioned in: Arista refuses to patch KEV flaw
Cybersecurity: Threats and Defences200 fixes, six zero-days, late Exchange
Cybersecurity: Threats and DefencesWhat is CVE-2026-42897 in Microsoft Exchange?
Is there a patch for CVE-2026-42897 in Exchange?
What is the Exchange Emergency Mitigation Service?
Background
CVE-2026-42897 is a cross-site scripting (XSS) zero-day in Microsoft Exchange Server's Outlook Web Access (OWA) interface, assigned a CVSS score of 8.1. CISA added it to the Known Exploited Vulnerabilities catalogue on 15 May 2026, issuing a federal remediation Deadline of 29 May 2026. As of that Deadline, Microsoft had not shipped a permanent patch; the only available mitigation was enabling the Exchange Emergency Mitigation Service (EEMS), an automated workaround mechanism that deploys configuration-level mitigations without requiring a full patch cycle.
The Deadline-without-patch scenario is a recurring pattern for Microsoft Exchange. A similarly structured situation arose earlier in 2026, and several analogous cases appear in the KEV record going back to 2021. Exchange Server holds a privileged position on corporate networks, handling authentication tokens, email content, and calendar data; OWA exposure compounds this because it presents an internet-facing attack surface reachable without a VPN. An XSS in OWA can be chained with other vulnerabilities to steal session tokens or escalate access.
The structural tension between CISA's mandate to impose remediation deadlines and vendors' patch timelines is made visible by CVE-2026-42897. Federal civilian agencies (FCEB) are legally required to meet BOD 22-01 deadlines; the EEMS workaround provides a compliant-but-partial response. For private organisations not bound by FCEB rules, the absence of a permanent patch means the risk decision rests entirely with their own risk-management frameworks.