A high-severity vulnerability in Microsoft Exchange Server is under active exploitation right now, and Microsoft has not released a patch. The flaw, tracked as CVE-2026-42897, is a cross-site scripting (XSS) bug that lets an attacker spoof identities over the network. In practical terms, a single specially crafted email hitting your server could give an outsider the ability to impersonate accounts, hijack sessions, and ultimately seize control of the entire mail environment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies just 14 days to apply mitigations, and every organization running on-premises Exchange should treat that clock as its own.
What we know for certain
Microsoft has assessed CVE-2026-42897 with a CVSS v3.1 base score of 8.1 (HIGH), according to the National Vulnerability Database. The score reflects a network-accessible attack vector, low complexity, and serious potential impact on both confidentiality and integrity. No physical access or authenticated credentials are required to begin exploitation. An attacker only needs to deliver a crafted message that triggers the XSS chain on the server’s web-facing components, enabling identity or session spoofing from there.
For an email server that handles user authentication, message routing, and often ties directly into Active Directory, any spoofing capability is dangerous. An attacker who can impersonate a legitimate mailbox owner or administrator can pivot deeper into the environment, modify mail-flow rules to exfiltrate data, or deploy additional malware across the network.
CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026. The agency only places a CVE in the KEV catalog when it has confirmed evidence of real-world exploitation, not when a flaw is merely theoretical. The catalog entry sets a remediation deadline of May 29, 2026. Because no patch exists, the required action is to “apply mitigations” rather than install an update.
That 14-day window is notably compressed. CISA routinely grants 21 days or longer when a tested vendor patch is available. Shortening the deadline while only workarounds exist signals the agency views the threat as severe enough to warrant emergency-level urgency.
Why this feels familiar
Exchange Server has been at the center of some of the most damaging cyberattacks in recent memory. In early 2021, the Hafnium campaign exploited a chain of zero-days (collectively known as ProxyLogon) to compromise tens of thousands of on-premises Exchange servers worldwide before Microsoft could ship fixes. Later that year, the ProxyShell vulnerabilities offered attackers another route in. In 2022, ProxyNotShell added yet another chapter. Each time, the pattern was the same: a remotely exploitable flaw in internet-facing Exchange infrastructure, active exploitation before or immediately after disclosure, and a scramble by defenders to close the gap.
CVE-2026-42897 fits that pattern uncomfortably well. The attack vector is the network, the complexity is low, and exploitation is already happening. The key difference so far is that Microsoft has not yet shipped a patch at all, leaving organizations in a holding pattern that the earlier incidents only experienced briefly.
What we still don’t know
Several critical details remain missing from the public record as of late May 2026.
Affected versions. Neither the NVD entry nor the CISA catalog specifies whether Exchange Server 2016, 2019, or both are vulnerable, or whether specific cumulative updates are required for exploitation. Administrators with multiple Exchange deployments cannot yet prioritize which instances carry the most risk.
Exchange Online status. The public advisories focus on on-premises Exchange Server. Microsoft 365 and Exchange Online customers will want to know whether cloud-hosted environments are exposed. So far, no government or vendor source has addressed this directly. Organizations running hybrid configurations should treat their on-premises components as potentially vulnerable until Microsoft clarifies.
Vendor advisory. The type of detailed security bulletin Microsoft typically publishes for high-severity CVEs, complete with affected-version matrices, impact analysis, and recommended workarounds, has not appeared in the references attached to the NVD or KEV records. The NVD does attribute the CVSS score to Microsoft, confirming the company’s involvement in the assessment, but administrators are currently working without vendor-authored remediation guidance.
Indicators of compromise. No file hashes, network signatures, or behavioral indicators tied to active exploitation have been released through public channels. CISA sometimes distributes such data through restricted feeds to federal and critical-infrastructure partners, but the broader IT community does not yet have exploit-specific detection signatures to deploy.
Threat actor attribution. Nothing in the NVD or KEV records identifies who is behind the attacks, how many organizations have been compromised, or which sectors or regions are being targeted. Any claims about specific groups or large-scale breach counts that lack an official source should be treated skeptically.
What Exchange administrators should do right now
Waiting for a perfect picture is not an option when exploitation is already confirmed. Here is a prioritized action list based on what the available evidence supports.
1. Check your mandate. Review the CISA KEV entry and determine whether your organization falls under Binding Operational Directive 22-01 (federal civilian agencies) or has internal policies that mirror KEV requirements. Even private-sector organizations should treat the May 29 deadline as a reasonable benchmark.
2. Reduce the attack surface. Lock down Exchange management interfaces (ECP, EAC) so they are accessible only from trusted networks or through VPN. If Outlook Web Access must remain internet-facing, place it behind a web application firewall (WAF) configured for aggressive input validation and script-content blocking.
3. Harden against XSS specifically. Enforce strict Content-Security-Policy headers on all Exchange web endpoints. Enable or tighten XSS filtering in security gateways and browser policies, particularly for administrative consoles. Review and restrict the use of inline scripts wherever Exchange’s configuration allows.
4. Hunt for anomalies now. Without published indicators of compromise, detection depends on behavioral signals. Monitor authentication logs for unexpected delegation changes, new inbox rules, or unusual sending patterns. Watch for session tokens being used from unfamiliar IP addresses or geolocations. Inspect email headers for signs of spoofed internal identities.
5. Prepare for rapid patching. When Microsoft does release a fix, the window between patch availability and widespread weaponization of the vulnerability will likely be short. Validate your Exchange backup and recovery procedures today. Identify maintenance windows, pre-stage change-management approvals, and test your patching workflow in a lab environment if one is available.
6. Brief your leadership. Security leaders should communicate clearly to stakeholders: CVE-2026-42897 is a high-severity, network-exploitable flaw under active attack with no vendor patch. Affected versions are not yet confirmed. Mitigations are in place but their completeness against this specific exploit chain has not been publicly validated. Ground every statement in the NVD and KEV records so decision-makers can weigh risk tolerance against operational disruption with accurate information.
The clock is already running
Exchange Server zero-days have a track record of escalating quickly. ProxyLogon went from targeted espionage to mass exploitation in a matter of days once details spread. CVE-2026-42897 is already past the “targeted” stage; CISA does not add vulnerabilities to the KEV catalog on a hunch. Every day without a patch is a day the attacker community refines its tooling and broadens its targeting.
Organizations that act on the mitigations above will not eliminate the risk entirely, but they will meaningfully narrow the window an attacker can exploit. And when the patch finally arrives, they will be positioned to deploy it fast rather than scrambling from a standing start. The worst outcome here is not uncertainty. It is inaction while the evidence is already clear.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
