CISA adds CVE-2026-42897 Exchange Server XSS to KEV Catalog
Active exploitation of a cross-site scripting flaw in Exchange Server triggers BOD 22-01 remediation deadlines for all FCEB agencies.
TL;DR
CISA added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server, to the Known Exploited Vulnerabilities Catalog on May 15, 2026, citing evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate by the BOD 22-01-assigned due date, which CISA has not yet published. Contractors supporting federal systems face audit exposure if affected Exchange deployments remain unpatched. Patch availability has not been confirmed in the advisory.
CISA's addition of CVE-2026-42897 is a routine KEV Catalog update: active exploitation observed, Binding Operational Directive 22-01 kicks in, Federal Civilian Executive Branch (FCEB) agencies get a remediation deadline. XSS flaws in Exchange Server are a well-worn attack class and this is not CISA's first flag in that category.
Two things to track. First, CISA has not published the BOD 22-01 remediation due date for this CVE. Compliance teams should check the KEV Catalog directly for the deadline rather than waiting for secondary notification. Second, the alert does not confirm whether Microsoft has issued a patch. If a fix is not yet available, agencies and contractors still carry the obligation to apply compensating controls and monitor for exploitation activity against Exchange infrastructure in scope.
Published ·Updated ·Deep Fathom