THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Microsoft Exchange Server flaw, tracked as CVE-2026-42897 with a CVSS score of 8.1, to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft warned that threat actors are actively exploiting this Exchange Server zero-day, which involves improper neutralisation of input during web page generation and enables spoofing over a network, with exploitation possible via Outlook Web Access by sending a specially crafted email.
The advisory notes that Microsoft has detected active exploitation in the wild, and advised administrators to apply temporary mitigations until a permanent update is available; CISA has urged federal agencies to address the vulnerability by May 29, 2026. Exchange zero-days are considered high risk because they sit at the centre of corporate email, and exploitation can provide attackers with access to emails, credentials, and internal systems.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, agencies must address identified vulnerabilities by the due date to protect networks.