CISA Adds One Known Exploited Vulnerability to Catalog - CVE-2026-42897

What Happened

The Cybersecurity and Infrastructure Security Agency (CISA) has warned that hackers are actively exploiting a security flaw in Microsoft Exchange Server. This flaw, known as a Cross-Site Scripting vulnerability, allows attackers to potentially compromise affected systems by injecting malicious scripts. This is significant because Microsoft Exchange is widely used for email and corporate communications, making it a high-value target for attackers. Organizations should immediately apply the latest security updates from Microsoft to protect their networks.

Key Takeaways

• CISA has added CVE-2026-42897 to the Known Exploited Vulnerabilities (KEV) Catalog.
• The vulnerability is identified as a Cross-Site Scripting (XSS) flaw affecting Microsoft Exchange Server.
• There is evidence of active exploitation of this vulnerability in the wild.
• Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability per BOD 22-01.
• All organizations are strongly urged to prioritize patching to reduce their exposure to cyberattacks.

Affected Systems

• Microsoft Exchange Server

Vulnerabilities (CVEs)

• CVE-2026-42897

Attack Chain

Threat actors are actively exploiting CVE-2026-42897, a Cross-Site Scripting (XSS) vulnerability in Microsoft Exchange Server. While specific attack chains are not detailed in the alert, XSS in Exchange typically involves injecting malicious scripts into web requests or emails to execute code in the context of a user's session, potentially leading to unauthorized access, data theft, or further compromise of the environment.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — EDR typically has limited visibility into web application layer attacks like XSS unless the exploitation results in child process execution on the underlying server. Network Visibility: Medium — Web Application Firewalls (WAFs) and network intrusion detection systems may catch malicious XSS payloads targeting Exchange web interfaces if SSL/TLS inspection is enabled. Detection Difficulty: Moderate — Detecting XSS requires inspecting web traffic and application logs for malicious script payloads, which can often be obfuscated or encoded by attackers.

Required Log Sources

• Web Application Firewall (WAF) logs
• IIS Web Server logs
• Exchange Server logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for anomalous JavaScript payloads or unusual URL parameters in IIS logs targeting Exchange web directories (e.g., OWA, ECP).	IIS Web Server logs	Initial Access	Medium

Control Gaps

• Lack of WAF inspection on Exchange web traffic
• Unpatched public-facing Exchange servers

Key Behavioral Indicators

• Anomalous HTTP GET/POST requests containing script tags or encoded JavaScript targeting Exchange endpoints

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify and patch all instances of Microsoft Exchange Server against CVE-2026-42897 immediately.

Infrastructure Hardening

• Evaluate whether public-facing Exchange interfaces (like OWA and ECP) can be placed behind a Web Application Firewall (WAF) or VPN.
• Consider restricting access to Exchange admin centers to internal networks only.

User Protection

• Ensure endpoint protection is active on all systems accessing Exchange services.

Security Awareness

• Remind administrators of the importance of timely patching for public-facing infrastructure.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059.007 - Command and Scripting Interpreter: JavaScript