CISA adds exploited Exchange XSS to KEV catalog
Federal agencies are now obligated to patch under BOD 22-01, but CISA's alert does not confirm whether Microsoft has released a fix.
TL;DR
CISA added CVE-2026-42897 (exploited XSS in Microsoft Exchange Server) to the KEV catalog. Federal agencies must remediate under BOD 22-01; the alert does not confirm whether Microsoft has released a patch. Non-federal orgs running Exchange should treat it as under active attack.
BOD 22-01 binds FCEB agencies to remediate KEV-listed vulnerabilities within prescribed timelines; CISA has not yet published the specific due date for CVE-2026-42897. The alert does not reference a Microsoft security advisory, which is unusual, most KEV additions correspond to available vendor patches. Until Microsoft confirms remediation guidance, agencies running Exchange should assess whether compensating controls or temporary mitigations are available. CISA urges all organizations, regardless of federal status, to prioritize KEV catalog vulnerabilities as part of their vulnerability management practice.
Published ·Updated ·Deep Fathom