Microsoft has released Patch Tuesday updates to address the actively exploited Exchange Server vulnerability CVE-2026-42897, which allows attackers to execute arbitrary JavaScript through specially crafted emails. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging federal agencies to implement fixes by May 29.
Microsoft has patched a critical zero-day vulnerability (CVE-2026-42897) affecting Exchange Server Subscription Edition, 2016, and 2019, which was actively exploited through spoofing and XSS attacks via Outlook Web Access. As a cybersecurity professional, ensure your organization applies these patches immediately to mitigate potential risks. Additionally, monitor CISA's Known Exploited Vulnerabilities (KEV) catalog for updates and ensure compliance with any federal directives, such as addressing this vulnerability by specified deadlines.