Exchange Server CVE-2026-42897
Microsoft Exchange OWA cross-site scripting zero-day; CVSS 8.1; CISA KEV with 29 May federal deadline and no patch.
Last refreshed: 20 May 2026
CISA gave federal agencies until 29 May to fix an Exchange bug Microsoft has not patched; what does that mean for compliance?
Timeline for Exchange Server CVE-2026-42897
Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and Defences- What is CVE-2026-42897 in Microsoft Exchange?
- CVE-2026-42897 is a cross-site scripting zero-day in Microsoft Exchange's Outlook Web Access. It is rated CVSS 8.1 and is being actively exploited against on-premises Exchange Server 2016, 2019, and Subscription Edition. CISA added it to the KEV catalogue on 15 May 2026 with a 29 May federal remediation deadline. Exchange Online is not affected.Source: CISA / Microsoft MSRC
- Is there a patch for Exchange CVE-2026-42897?
- As of 20 May 2026, Microsoft had not released a patch for CVE-2026-42897. The only available mitigation is the Exchange Emergency Mitigation Service URL-rewrite rule, which is applied automatically on supported on-premises deployments but breaks OWA calendar printing and Light mode.Source: Microsoft MSRC / Help Net Security
- How should I protect Exchange Server from CVE-2026-42897 before a patch exists?
- Microsoft's recommended mitigation is the Exchange Emergency Mitigation Service (EEMS) URL-rewrite rule, applied automatically on Exchange 2016, 2019, and SE. Additional measures include monitoring mailbox rules for unusual forwarding and rotating active OWA session tokens. Restrict OWA access to internal networks where feasible.Source: Microsoft MSRC
- Why is CISA setting a 29 May deadline for an Exchange bug with no fix?
- CISA's BOD 22-01 programme mandates remediation deadlines for Known Exploited Vulnerabilities regardless of whether a vendor patch exists. The 29 May deadline reflects active exploitation, not patch availability. CISA applied the same posture to PAN-OS CVE-2026-0300 on 6 May, setting a deadline before Palo Alto's patches shipped.Source: CISA
Background
Exchange Server CVE-2026-42897 is a cross-site scripting zero-day vulnerability in Microsoft Exchange's Outlook Web Access (OWA) component, rated CVSS 8.1. CISA added it to the Known Exploited Vulnerabilities catalogue on 15 May 2026 with a federal remediation deadline of 29 May 2026. Microsoft had not shipped a patch at the time of the KEV addition or as of 20 May 2026; the only available mitigation was the Exchange Emergency Mitigation Service URL-rewrite rule, which is applied automatically on supported on-premises deployments. Active exploitation has been confirmed against Exchange Server 2016, 2019, and Subscription Edition on-premises; Exchange Online is unaffected.
CVE-2026-42897 is the second instance in twelve days of CISA imposing a federal compliance obligation under BOD 22-01 without a remediation PATH. The PAN-OS CVE-2026-0300 precedent on 6 May 2026 established that CISA is willing to write KEV deadlines before vendor patches exist; CVE-2026-42897 confirms the pattern as posture rather than exception. For federal CISOs, BOD 22-01's remediation requirement conflicts with its own operational practice: the documented response to CVE-2026-42897 is the EEMS mitigation plus mailbox-rule monitoring and session-token rotation, which is not remediable under the directive's literal terms.
The EEMS URL-rewrite mitigation carries documented side effects: the OWA calendar print function breaks, inline images may not render, and OWA Light mode is broken. For organisations running on-premises Exchange, the compliance choice is a documented user-experience degradation or documented active-exploitation exposure through 29 May. Microsoft's EEMS workaround does not constitute a patch for purposes of compliance under BOD 22-01.
