CVE-2026-42897: What You Need to Know Right Now
CVE ID: CVE-2026-42897
CVSS Score: 8.1/10 (High)
Status: Actively exploited in the wild (CISA confirmed)
Weakness: CWE-79
Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Why This CVE Matters
CISA has added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog. This is significant — CISA only adds CVEs that have been confirmed as actively exploited in real attacks, not just theoretical risks.
If your organisation uses the affected product, this is a Priority 1 remediation item. Real attackers are using this vulnerability today.
What Attackers Can Do With This
Attackers can send specially crafted emails to the users using these exchange servers and if users open such emails then XSS can be executed in their browsers.
Affected Systems
Most affected versions are Microsoft exchange server 2016 and 2019. Full list of sever update version is listed here – https://nvd.nist.gov/vuln/detail/CVE-2026-42897
- Affected vendor/product: see NVD entry for full version list
- Check your asset inventory for these products
- Don’t forget cloud-hosted versions — they may need vendor-side patching
How to Patch — Step by Step
Step 1: Identify affected systems in your environment
Check your CMDB or asset inventory for the affected product.
Step 2: Check your current version
Compare your installed version against the affected range in the NVD entry.
Step 3: Apply the vendor patch
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
Step 4: Verify the patch
After patching, confirm the version has changed and run a quick vulnerability scan.
Step 5: Monitor for indicators of compromise
If this CVE was exploited before you patched, check your logs for suspicious activity from the past 30 days.
CISA’s Required Action
CISA has mandated that US federal agencies patch this vulnerability. Even if you’re not a federal agency, this is a strong signal — use CISA’s deadline as your own target.
Recommended patch deadline: Within 72 hours of reading this for internet-facing systems. Within 2 weeks for internal systems.
Raghu’s Expert Take
If you are using specific Microsoft Exchange servers of 2016 and 2019 update only then you need to update otherwise you are safe. This attack required specifc user interaction.
If an attacker sends a crafted email to the user through this exchange server and the user opens it, then XSS can be executed in the user browser context. Hence, user security training awareness is an important factor that can help to avoid such attacks.
In my experience, High-severity CVEs that make it onto the CISA KEV list represent the most urgent patching priority any security team faces. The fact that attackers are already exploiting this means you’re already behind — patch now, investigate later.
References and Further Reading
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897
- CISA KEV Catalog
- NVD Entry for CVE-2026-42897
- ASecurityGuru Live CVE Tracker
Track This and Other Active CVEs
I maintain a free live CVE tracker at asecurityguru.com that pulls directly from CISA’s Known Exploited Vulnerabilities list. Bookmark it for your daily threat intelligence.
Published by Raghu the Security Expert — ASecurityGuru.com