enforcement/regulator/
CISA adds Microsoft Exchange XSS to KEV Catalog
FCEB agencies have a mandatory remediation deadline; everyone else has a strong nudge.
Editorial brief
CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability with evidence of active exploitation, to the KEV Catalog on May 15. BOD 22-01 requires FCEB agencies to remediate by the posted due date. Non-federal operators are not bound but should treat KEV listing as a prioritization signal in their vulnerability management programs.
Routine KEV addition. Patch Exchange, check the catalog for the specific due date, and move on.
Published ·Updated ·Deep Fathom