A single email, opened in a browser, is all it takes. Microsoft Exchange servers running Outlook Web Access (OWA) are being actively exploited through a spoofing vulnerability tracked as CVE-2026-42897, and two U.S. federal agencies have confirmed the attacks are real. The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2026, setting a binding remediation deadline for all federal civilian agencies and sending a clear signal to the private sector: patch now.
What the vulnerability does
CVE-2026-42897 is a spoofing flaw in Microsoft Exchange Server. It allows an attacker to craft an email that forges sender identity or domain information in a way that OWA renders as trustworthy. When a user opens that message in the browser-based OWA client, the spoofing takes effect without any additional interaction. There is no attachment to download, no macro to enable, and no link to click. Simply viewing the email is enough.
That low barrier to exploitation is what makes the flaw so dangerous. In most phishing scenarios, defenders can train users to avoid opening attachments or clicking suspicious links. Here, the malicious payload is baked into the email itself, and OWA processes it the moment the message is rendered. For organizations where staff routinely open messages from external contacts, such as law firms, healthcare providers, financial institutions, and government agencies, the risk is immediate and difficult to mitigate through user awareness alone.
Why federal agencies are treating this as urgent
CISA does not add vulnerabilities to the KEV catalog on speculation. Under Binding Operational Directive 22-01, inclusion requires confirmed evidence that a vulnerability is being exploited in real-world environments. Once listed, every federal civilian executive branch agency must remediate by the stated due date or face compliance consequences. The directive does not apply to private companies, but CISA has repeatedly urged all organizations to treat KEV entries as a prioritized patching list.
The National Vulnerability Database (NVD) entry, maintained by the National Institute of Standards and Technology, independently enriches the record. The NVD page carries both a Microsoft-assigned CVSS vector (Microsoft serves as the CVE Numbering Authority) and a separate NVD-enriched score, giving defenders two independent severity assessments. The entry also cross-references the Microsoft Security Response Center (MSRC) advisory, which contains patch details and affected version information.
What we do not yet know
Neither CISA nor NIST has published data on the scale of exploitation. It is unclear whether attackers are targeting a small number of high-value networks or scanning broadly across internet-facing Exchange deployments. No threat actor attribution has appeared in federal records, and no indicators of compromise, such as file hashes, IP addresses, or malicious email header patterns, have been released through the KEV catalog or NVD.
The specific Exchange Server versions affected, the exact patch KB numbers, and any interim workarounds Microsoft may recommend are documented in the MSRC advisory rather than in the federal catalog entries. Administrators should consult that advisory directly for version-specific guidance. The full CVSS base score is available on the live NVD detail page; because the numeric value was not reproduced in the catalog summaries reviewed for this report, we are directing readers to the source rather than risk citing an outdated figure.
One question many organizations will have: does this affect Microsoft 365 or Exchange Online? Spoofing flaws in Exchange Server have historically been limited to on-premises deployments, since Microsoft manages patching and configuration for its cloud-hosted service. However, until Microsoft explicitly confirms that Exchange Online is unaffected, organizations running hybrid environments should verify their exposure on both sides.
What defenders should do right now
1. Identify and patch. Pull up the MSRC advisory linked from the NVD detail page. Match your Exchange Server build number against the affected versions and apply the corresponding security update. If your organization falls under BOD 22-01, the CISA remediation deadline is your hard stop. Everyone else should treat it the same way.
2. Restrict OWA exposure. If patching cannot happen immediately, reduce the attack surface by disabling external access to Outlook Web Access or placing it behind a VPN. This is not a permanent fix, but it removes the most direct path an attacker can use to deliver a crafted email to a browser session.
3. Layer your defenses. Web application firewalls and reverse proxies sitting in front of OWA can log and, in some configurations, block anomalous requests tied to crafted email content. Exchange transport rules can flag or quarantine messages that spoof internal domains. Neither measure replaces patching, but both buy time and create detection opportunities.
4. Hunt in your logs. Even without published indicators of compromise, security teams should review Exchange and IIS logs for unusual patterns: repeated access to specific messages, unexpected authentication attempts, or administrative actions that do not match normal workflows. Focus on the time windows when users may have accessed suspicious emails. Patterns that look benign in isolation can reveal compromise when correlated.
5. Escalate internally. The combination of confirmed exploitation, a trivial trigger, and a federal deadline makes CVE-2026-42897 a strong candidate for emergency change procedures. If your organization enforces change freezes or has a long patch backlog, this is the vulnerability that justifies an exception. Schedule off-hours downtime, pull in additional staff, and get it done.
A familiar pattern for Exchange administrators
Exchange Server has been at the center of some of the most consequential cyberattacks in recent years. The ProxyLogon and ProxyShell vulnerabilities in 2021 led to mass exploitation by both state-sponsored groups and ransomware operators, affecting tens of thousands of organizations worldwide. Those incidents exposed a painful reality: many organizations are slow to patch on-premises Exchange, and attackers know it.
CVE-2026-42897 follows a similar playbook. The vulnerability sits in a widely deployed product, the trigger is simple, and the window between public disclosure and widespread exploitation tends to be short. CISA’s rapid addition of the flaw to the KEV catalog suggests the agency sees the same risk profile.
The public record around this vulnerability is still developing. More detailed technical analysis, threat actor attribution, and sector-specific advisories will likely follow in the coming weeks. But the core facts are already clear from government sources: attacks are happening, the trigger is as simple as opening an email in a browser, and the patch path is defined. Waiting for more information before acting is a gamble that the history of Exchange exploitation does not support.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
