Government Advisory

CISA Adds Microsoft Exchange XSS Vulnerability to KEV Catalog

CVE-2026-42897 joins the Known Exploited Vulnerabilities list following evidence of active exploitation in the wild.

Illustration: CISA Adds Microsoft Exchange XSS Vulnerability to KEV Catalog

CVE-2026-42897 joins the Known Exploited Vulnerabilities list following evidence of active exploitation in the wild.

  • CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability, to its KEV catalog
  • The addition follows evidence that threat actors are actively exploiting this vulnerability
  • Federal agencies must remediate KEV vulnerabilities by specified due dates under BOD 22-01

The US Cybersecurity and Infrastructure Security Agency has added a Microsoft Exchange Server cross-site scripting vulnerability to its Known Exploited Vulnerabilities catalog following evidence of active exploitation.

CISA announced on 15 May that CVE-2026-42897 had been added to the KEV catalog based on evidence that malicious cyber actors are actively targeting this vulnerability.

The vulnerability affects Microsoft Exchange Server and represents a cross-site scripting flaw. CISA notes that cross-site scripting vulnerabilities are frequently used as attack vectors by threat actors and pose significant risks to federal networks.

The KEV catalog was established under Binding Operational Directive 22-01 as a living list of Common Vulnerabilities and Exposures that carry significant risk to federal enterprise networks. The directive requires Federal Civilian Executive Branch agencies to remediate catalogued vulnerabilities by specified due dates.

While BOD 22-01 mandates compliance only for federal agencies, CISA strongly recommends that all organisations prioritise timely remediation of KEV catalog vulnerabilities as part of their vulnerability management practices.

The agency indicated it will continue adding vulnerabilities to the catalog that meet its specified criteria for active exploitation and risk to federal networks.

Why It Matters

Exchange Server vulnerabilities have historically been prime targets for nation-state actors and ransomware groups, making this addition particularly relevant for CISOs managing Microsoft email infrastructure. The KEV catalog designation signals that this vulnerability is being actively exploited in real-world attacks, requiring immediate attention in board reporting and risk assessments.

What To Do Now

  • Check if your organisation runs Microsoft Exchange Server and assess exposure to CVE-2026-42897
  • Review the KEV catalog for the specific remediation deadline assigned to this vulnerability
  • Prioritise this vulnerability in your patch management queue given evidence of active exploitation

Sources

Related Posts