KEV · Actively exploited

CVE-2026-42897

CRITICAL 8.1 KEV Published on 2026-05-12

Microsoft Exchange Server Spoofing Vulnerability

EPSS 10.34% moderate exploit risk percentile 93.3%

CISA Known Exploited Vulnerability

Added to KEV: 2026-05-15
Remediation deadline: 2026-05-29
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ransomware: No