Skip to content
You can now search across every topic, entity and event.What's new
Microsoft Exchange Server
ProductUS

Microsoft Exchange Server

Microsoft's on-premises enterprise mail server; CVE-2026-42897 became the first KEV-listed Exchange flaw patched sixteen days after its federal deadline.

Last refreshed: 14 June 2026 · Appears in 1 active topic

Key Question

What does the Exchange patch arriving sixteen days late mean for the BOD 22-01 compliance model?

Timeline for Microsoft Exchange Server

#79 Jun

Received the overdue patch for CVE-2026-42897 OWA spoofing flaw on 9 June

Cybersecurity: Threats and Defences: 200 fixes, six zero-days, late Exchange
#415 May

Exchange repeats the CISA deadline-before-patch trap

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
Has Microsoft patched the Exchange zero-day CVE-2026-42897 yet?
As of 20 May 2026 Microsoft had not shipped a patch. The only mitigation is the Exchange Emergency Mitigation Service URL-rewrite rule, with a CISA federal Deadline of 29 May 2026.Source: CISA KEV Catalogue / Help Net Security
What versions of Exchange Server are affected by CVE-2026-42897?
Exchange Server 2016, 2019, and Subscription Edition (on-premises only) are affected. Exchange Online is not affected.Source: Microsoft Security Response Center
What are the side effects of the Exchange Emergency Mitigation Service workaround?
Enabling the EEMS URL-rewrite rule breaks the OWA calendar print function, may prevent inline images from rendering, and breaks OWA Light mode.Source: Microsoft Security Response Center

Background

Microsoft Exchange Server has served as Microsoft's on-premises messaging platform since version 4.0 in 1996, scaling to tens of millions of mailboxes across government, healthcare, and financial services worldwide. The product family — 2016, 2019, and the Subscription Edition — remains dominant in regulated sectors that cannot move to hosted platforms, competing with Microsoft's own Exchange Online and other cloud mail services. It has a documented history of critical zero-days exploited at mass scale before patches landed: ProxyLogon (CVE-2021-26855, CVSS 9.8), ProxyShell (2021), and ProxyNotShell (2022) each triggered global exploitation waves.

In May and June 2026 Exchange Server became the cleanest worked example of a structural tension in CISA's Binding Operational Directive 22-01: the gap between a KEV remediation Deadline and a vendor patch. CISA added CVE-2026-42897, a cross-site scripting zero-day in Outlook Web Access (CVSS 8.1), to the KEV catalogue on 15 May 2026 with a federal remediation Deadline of 29 May. No patch was available; the only sanctioned mitigation was the Exchange Emergency Mitigation Service URL-rewrite rule, which carries documented side effects including OWA calendar-print failure, broken Light mode, and inline-image rendering failures. Microsoft shipped the fix in its June 2026 Patch Tuesday on 9 June, sixteen days past the federal Deadline — the first on-record Exchange CVE to close that particular gap with the Deadline in the rear-view mirror rather than concurrent with the listing. Exchange Online was unaffected throughout.

The sixteen-day overage matters beyond Exchange itself. BOD 22-01's text requires "remediation" but does not define mitigation as a compliant substitute; federal CISOs who applied the EEMS workaround before 29 May remained in a technically non-compliant posture until the patch landed on 9 June. Paired with a second KEV entry in the same June 2026 Patch Tuesday cycle where the vendor (Arista, CVE-2026-7473) formally declined to patch, Exchange's trajectory is now one of two data points that define the current outer boundaries of the compliance model's stress.

More questions
Why did CISA set a deadline for an Exchange flaw that Microsoft hasn't fixed?
CISA's Binding Operational Directive 22-01 requires agencies to remediate KEV-listed vulnerabilities by the stated Deadline regardless of patch availability. CISA treats active exploitation as sufficient reason to mandate action even when the vendor has no patch.Source: CISA BOD 22-01
How does CVE-2026-42897 compare to previous Exchange Server zero-days like ProxyLogon?
CVE-2026-42897 is an XSS flaw (CVSS 8.1) affecting OWA, lower severity than ProxyLogon (CVSS 9.8, RCE). However the absence of a patch and confirmed active exploitation follow the same pattern of mass exploitation before Microsoft ships a fix.
Has Microsoft released the patch for Exchange Server CVE-2026-42897?
Yes. Microsoft shipped the fix in its June 2026 Patch Tuesday on 9 June 2026, sixteen days after the CISA federal Deadline of 29 May 2026. Affected versions are Exchange Server 2016, 2019, and Subscription Edition; Exchange Online was not affected.Source: Microsoft Security Response Center
Source Material