
Microsoft Exchange Server
Microsoft's on-premises enterprise mail server; CVE-2026-42897 became the first KEV-listed Exchange flaw patched sixteen days after its federal deadline.
Last refreshed: 14 June 2026 · Appears in 1 active topic
What does the Exchange patch arriving sixteen days late mean for the BOD 22-01 compliance model?
Timeline for Microsoft Exchange Server
Received the overdue patch for CVE-2026-42897 OWA spoofing flaw on 9 June
Cybersecurity: Threats and Defences: 200 fixes, six zero-days, late ExchangeExchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesHas Microsoft patched the Exchange zero-day CVE-2026-42897 yet?
What versions of Exchange Server are affected by CVE-2026-42897?
What are the side effects of the Exchange Emergency Mitigation Service workaround?
Background
Microsoft Exchange Server has served as Microsoft's on-premises messaging platform since version 4.0 in 1996, scaling to tens of millions of mailboxes across government, healthcare, and financial services worldwide. The product family — 2016, 2019, and the Subscription Edition — remains dominant in regulated sectors that cannot move to hosted platforms, competing with Microsoft's own Exchange Online and other cloud mail services. It has a documented history of critical zero-days exploited at mass scale before patches landed: ProxyLogon (CVE-2021-26855, CVSS 9.8), ProxyShell (2021), and ProxyNotShell (2022) each triggered global exploitation waves.
In May and June 2026 Exchange Server became the cleanest worked example of a structural tension in CISA's Binding Operational Directive 22-01: the gap between a KEV remediation Deadline and a vendor patch. CISA added CVE-2026-42897, a cross-site scripting zero-day in Outlook Web Access (CVSS 8.1), to the KEV catalogue on 15 May 2026 with a federal remediation Deadline of 29 May. No patch was available; the only sanctioned mitigation was the Exchange Emergency Mitigation Service URL-rewrite rule, which carries documented side effects including OWA calendar-print failure, broken Light mode, and inline-image rendering failures. Microsoft shipped the fix in its June 2026 Patch Tuesday on 9 June, sixteen days past the federal Deadline — the first on-record Exchange CVE to close that particular gap with the Deadline in the rear-view mirror rather than concurrent with the listing. Exchange Online was unaffected throughout.
The sixteen-day overage matters beyond Exchange itself. BOD 22-01's text requires "remediation" but does not define mitigation as a compliant substitute; federal CISOs who applied the EEMS workaround before 29 May remained in a technically non-compliant posture until the patch landed on 9 June. Paired with a second KEV entry in the same June 2026 Patch Tuesday cycle where the vendor (Arista, CVE-2026-7473) formally declined to patch, Exchange's trajectory is now one of two data points that define the current outer boundaries of the compliance model's stress.