πŸ”΄ CVE-2026-42897

CVE-2026-42897 is a cross-site scripting vulnerability in Microsoft Exchange Server that enables spoofing attacks. This vulnerability is actively exploited in the wild and affects widely deployed internet-facing email servers through crafted network requests.

← Back to Overview
HIGH_RISK
Risk Level
8.1
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-14

Added to CISA KEV: 2026-05-15 1 DAY BETWEEN CVE AND KEV

🌐 Internet Exposure (Shodan): 6k+ internet-facing instances β†’
Query: http.title:"Outlook Web App"   View on Shodan β†—
This query identifies Exchange servers by their web interface but cannot distinguish between vulnerable versions (2016, 2019, Subscription Edition) and patched or newer versions, so results will include false positives from non-vulnerable installations.
Checked: 2026-06-04

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-05-15)

CVE-2026-42897 is a critical security vulnerability affecting on-premise versions of Microsoft Exchange Server [3] [1].

The following details summarize the current understanding of this vulnerability:

  • Internet-Facing Status: As this vulnerability affects Microsoft Exchange Server, it is highly relevant to internet-facing applications. Exchange servers are frequently exposed to the internet to facilitate email services, making them primary targets for remote exploitation [1].
  • Active Exploitation: There is confirmed evidence of active exploitation in the wild [1]. Due to this activity, the Cybersecurity and Infrastructure Security Agency (CISA) officially added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on May 7, 2026 [2].
  • Attack Vectors and Technical Details:
- The vulnerability is classified as a spoofing bug resulting from a cross-site scripting (XSS) flaw [1]. - Technically, it involves the improper neutralization of input during web page generation, which allows attackers to execute malicious scripts within the context of the user's session [3]. - Exploitation is achieved via crafted requests sent to the targeted Exchange server [1].
  • Targeted Attacks: While the vulnerability is being actively exploited, specific details regarding whether it is being used in highly targeted, advanced persistent threat (APT) campaigns versus opportunistic mass exploitation have not been explicitly detailed in public reports beyond the confirmation of its inclusion in the CISA KEV catalog [2].

Sources

  1. On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted ...

    Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting…

  2. CISA Adds One Known Exploited Vulnerability to Catalog | CISA

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  3. CVE-2026-42897 Detail - NVD

    Description. Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed