The deadline was May 29. It came and went. And a high-severity Microsoft Exchange Server vulnerability that attackers are actively exploiting through malicious emails remains unpatched across an unknown number of federal civilian agency networks.
CVE-2026-42897, a remote code execution flaw carrying a CVSS 3.1 base score of 8.1, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026. Under Binding Operational Directive 22-01, that listing triggered a mandatory remediation clock for every Federal Civilian Executive Branch (FCEB) agency. The clock ran out on May 29. The bug is still being used in live attacks.
Why the remediation window was only 14 days
BOD 22-01 typically grants agencies 30 days to patch or mitigate a newly cataloged vulnerability. For CVE-2026-42897, the window was cut in half. No public CISA statement has explained why this specific CVE received a compressed timeline, but the inference is straightforward: the 14-day span between the May 15 catalog addition and the May 29 due date, as recorded in the NVD entry, is half the directive’s 30-day default. CISA has historically reserved shorter deadlines for flaws it considers especially dangerous or already under broad exploitation, and the compressed window here is consistent with that pattern. Readers should note, however, that this reasoning is drawn from the timeline itself rather than from a specific CISA announcement confirming the compression for CVE-2026-42897.
The directive draws its authority from 44 U.S.C. sections 3552 and 3553, which empower CISA to issue binding cybersecurity requirements across civilian federal networks. When a vulnerability enters the KEV catalog, remediation is not optional for FCEB agencies. It is a legal obligation.
Microsoft, acting as the CVE Numbering Authority, assigned the 8.1 severity score, placing the flaw firmly in the “high” band. The National Vulnerability Database maintained by NIST confirms both the score and the KEV timeline.
What the attack looks like
The exploitation method has been described in security reporting as weaponization through a single email: one crafted message, sent to an Exchange server, capable of triggering remote code execution without requiring the recipient to click a link or open an attachment. That pattern is consistent with prior Exchange Server attack chains, including those seen in the ProxyLogon and ProxyShell campaigns of 2021, where attackers leveraged server-side mail processing to gain footholds before administrators even knew something was wrong.
It is worth noting that the KEV catalog entry and the NVD record both confirm active exploitation but do not specify the attack vector in detail. The “single email” characterization aligns with known Exchange exploitation techniques, though the full technical breakdown has not appeared in primary government documentation as of early June 2026. What is confirmed: attackers are using this bug against real targets, not just probing it in lab environments.
The compliance gap no one can measure
CISA does not publish agency-level compliance data for KEV deadlines. There is no public dashboard showing which agencies patched on time, which requested extensions, or which are still exposed. That opacity means the gap between the order and its execution is invisible to outside observers, including Congress, journalists, and the security community.
What is known is structural. Agencies with aging on-premises Exchange infrastructure, fragmented patch management systems, or limited IT staffing are consistently the ones most likely to miss compressed timelines. Historically, KEV entries targeting Exchange Server have focused on self-hosted installations, which tend to lag behind cloud-managed environments in patch adoption. Whether CVE-2026-42897 also affects Exchange Online configurations managed by Microsoft has not been clarified in public documentation.
BOD 22-01 does not prescribe automatic penalties for missed deadlines. Enforcement flows through the federal Chief Information Security Officer ecosystem and, ultimately, through the Office of Management and Budget’s oversight of agency cybersecurity postures. In practice, that means a missed deadline triggers reporting obligations and internal scrutiny, not immediate consequences.
What a missed deadline actually means for a federal network
Exchange servers are not peripheral systems. They sit at the center of email, calendaring, and often identity management for entire agencies. A remote code execution flaw in that environment does not just compromise a mailbox. It can become a stepping stone to domain-wide access, data exfiltration, or persistent footholds that survive later patching.
Agencies that missed the May 29 deadline now face two problems at once. The first is technical: they need to deploy Microsoft’s patch or apply vendor-recommended mitigations immediately. The second is investigative: they need to determine whether attackers exploited the window of exposure. That means reviewing Exchange server logs, hunting for web shells and unusual process activity, and in some cases bringing in incident response teams to validate whether a compromise occurred.
None of that work is optional. An unpatched Exchange server that has been exposed to a known, actively exploited vulnerability for days or weeks is not a theoretical risk. It is a system that may already be compromised.
What this means beyond the federal government
BOD 22-01 binds only FCEB agencies. It does not apply to the Department of Defense, the intelligence community, state and local governments, or private-sector organizations. But CISA has repeatedly urged all network operators to treat KEV entries as priority patches, and the catalog has become a de facto triage list for defenders across every sector.
For any organization still running on-premises Exchange, the signal here is unambiguous. A vulnerability with a high severity score, confirmed in-the-wild exploitation, and an unusually compressed federal remediation window is not something to schedule for the next maintenance cycle. It warrants emergency patching, compensating controls such as restricting external mail flow to affected servers, and focused monitoring for indicators of compromise.
The broader pattern is familiar but no less urgent for its repetition. Exchange Server has been a preferred target for sophisticated threat actors since at least 2021, when the Hafnium campaign demonstrated how quickly a single Exchange vulnerability could be scaled into a mass exploitation event affecting tens of thousands of organizations. CVE-2026-42897 fits that lineage. The question is not whether attackers will use it widely. Based on CISA’s own assessment, they already are.
Where the risk sits as of early June 2026
The situation is defined by what is confirmed and what is not. Confirmed: the vulnerability is real, rated high severity, and under active exploitation. Confirmed: CISA ordered federal agencies to fix it by May 29, and that deadline has passed. Not confirmed: how many agencies complied, whether any were breached, or exactly how attackers are delivering the exploit.
That combination of certainty and opacity is itself the problem. Defenders inside and outside the federal government are working with incomplete information against an adversary that is not. Every day an Exchange server remains unpatched is another day the attacker has the advantage, and the clock that started on May 15 is no longer ticking. It has already run out.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
