Active Exploited XSS in Microsoft Exchange Server (CVE‑2026‑42897) Added to CISA KEV Catalog
What It Is — A cross‑site scripting (XSS) flaw in Microsoft Exchange Server (CVE‑2026‑42897) allows an attacker to inject malicious scripts into web‑based admin interfaces, potentially stealing session cookies or executing arbitrary actions in the context of an authenticated user.
Exploitability — The vulnerability is confirmed to be actively exploited in the wild; CISA has placed it in its Known Exploited Vulnerabilities (KEV) Catalog. No public proof‑of‑concept is required to demonstrate exploitation.
Affected Products — Microsoft Exchange Server 2016, 2019, and Exchange Online (Hybrid deployments).
TPRM Impact — Many third‑party vendors and service providers host or manage Exchange environments for customers. A breach in an Exchange instance can cascade to downstream clients, exposing email data, credentials, and internal communications, thereby amplifying supply‑chain risk.
Recommended Actions —
- Deploy Microsoft’s security update for CVE‑2026‑42897 immediately.
- Apply temporary mitigations: enforce strict Content‑Security‑Policy headers and disable vulnerable web‑mail features if patches cannot be applied within 48 hours.
- Conduct targeted scanning of all Exchange servers for the vulnerable component.
- Review and harden Exchange logging and alerting for anomalous script execution.
- Update third‑party risk registers to reflect the new KEV entry and communicate remediation deadlines to all managed service providers.
Source: CISA Advisory – CISA Adds One Known Exploited Vulnerability to Catalog (May 15 2026)