Microsoft Exchange Server
Microsoft's on-premises enterprise mail server product; CVE-2026-42897 in its Outlook Web Access component was actively exploited from mid-May 2026 with no patch available.
Last refreshed: 20 May 2026 · Appears in 1 active topic
CISA set a 29 May patch deadline for Exchange; will Microsoft ship before the clock runs out?
Timeline for Microsoft Exchange Server
Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and Defences- Has Microsoft patched the Exchange zero-day CVE-2026-42897 yet?
- As of 20 May 2026 Microsoft had not shipped a patch. The only mitigation is the Exchange Emergency Mitigation Service URL-rewrite rule, with a CISA federal deadline of 29 May 2026.Source: CISA KEV Catalogue / Help Net Security
- What versions of Exchange Server are affected by CVE-2026-42897?
- Exchange Server 2016, 2019, and Subscription Edition (on-premises only) are affected. Exchange Online is not affected.Source: Microsoft Security Response Center
- What are the side effects of the Exchange Emergency Mitigation Service workaround?
- Enabling the EEMS URL-rewrite rule breaks the OWA calendar print function, may prevent inline images from rendering, and breaks OWA Light mode.Source: Microsoft Security Response Center
- Why did CISA set a deadline for an Exchange flaw that Microsoft hasn't fixed?
- CISA's Binding Operational Directive 22-01 requires agencies to remediate KEV-listed vulnerabilities by the stated deadline regardless of patch availability. CISA treats active exploitation as sufficient reason to mandate action even when the vendor has no patch.Source: CISA BOD 22-01
- How does CVE-2026-42897 compare to previous Exchange Server zero-days like ProxyLogon?
- CVE-2026-42897 is an XSS flaw (CVSS 8.1) affecting OWA, lower severity than ProxyLogon (CVSS 9.8, RCE). However the absence of a patch and confirmed active exploitation follow the same pattern of mass exploitation before Microsoft ships a fix.
Background
Microsoft Exchange Server is under active exploitation in May 2026 via CVE-2026-42897, a cross-site scripting zero-day in its browser-mail front-end Outlook Web Access rated CVSS 8.1. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 15 May with a federal remediation deadline of 29 May 2026, yet Microsoft has not shipped a patch. The only sanctioned mitigation is the Exchange Emergency Mitigation Service URL-rewrite rule, which is on by default for supported on-premises deployments but carries documented side effects including OWA calendar-print failure, broken Light mode, and inline-image rendering failures.
Exchange Server has served as Microsoft's on-premises messaging platform since version 4.0 in 1996, scaling to support millions of mailboxes across government, healthcare, and financial services. Versions 2016, 2019, and the Subscription Edition are affected by CVE-2026-42897; Exchange Online is unaffected. The product competes in an era of cloud migration but remains dominant in regulated sectors that cannot move to hosted platforms. It has a documented history of high-severity zero-days — ProxyLogon (2021), ProxyShell (2021), and ProxyNotShell (2022) each triggered mass exploitation before patches landed.
The 29 May deadline creates a compliance paradox for federal CISOs: Binding Operational Directive 22-01 requires patching, but no patch exists. This is the second time in twelve days CISA has imposed a federal deadline against a vulnerability for which the vendor has not shipped a fix, following PAN-OS CVE-2026-0300 on 6 May. The pattern signals CISA is treating KEV deadlines as exploitation-Velocity pressure rather than achievable remediation milestones, widening the gap between directive intent and operational reality for on-premises Exchange estates.