Exchange Server CVE-2026-42897
Microsoft Exchange OWA cross-site scripting zero-day; CVSS 8.1; CISA KEV with 29 May federal deadline and no patch.
Last refreshed: 20 May 2026
CISA gave federal agencies until 29 May to fix an Exchange bug Microsoft has not patched; what does that mean for compliance?
Timeline for Exchange Server CVE-2026-42897
Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesWhat is CVE-2026-42897 in Microsoft Exchange?
Is there a patch for Exchange CVE-2026-42897?
How should I protect Exchange Server from CVE-2026-42897 before a patch exists?
Background
Exchange Server CVE-2026-42897 is a cross-site scripting zero-day vulnerability in Microsoft Exchange's Outlook Web Access (OWA) component, rated CVSS 8.1. CISA added it to the Known Exploited Vulnerabilities catalogue on 15 May 2026 with a federal remediation Deadline of 29 May 2026. Microsoft had not shipped a patch at the time of the KEV addition or as of 20 May 2026; the only available mitigation was the Exchange Emergency Mitigation Service URL-rewrite rule, which is applied automatically on supported on-premises deployments. Active exploitation has been confirmed against Exchange Server 2016, 2019, and Subscription Edition on-premises; Exchange Online is unaffected.
CVE-2026-42897 is the second instance in twelve days of CISA imposing a federal compliance obligation under BOD 22-01 without a remediation PATH. The PAN-OS CVE-2026-0300 precedent on 6 May 2026 established that CISA is willing to write KEV deadlines before vendor patches exist; CVE-2026-42897 confirms the pattern as posture rather than exception. For federal CISOs, BOD 22-01's remediation requirement conflicts with its own operational practice: the documented response to CVE-2026-42897 is the EEMS mitigation plus mailbox-rule monitoring and session-token rotation, which is not remediable under the directive's literal terms.
The EEMS URL-rewrite mitigation carries documented side effects: the OWA calendar print function breaks, inline images may not render, and OWA Light mode is broken. For organisations running on-premises Exchange, the compliance choice is a documented user-experience degradation or documented active-exploitation exposure through 29 May. Microsoft's EEMS workaround does not constitute a patch for purposes of compliance under BOD 22-01.