U.S. CISA adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog

A critical flaw in Microsoft Exchange Server, identified as CVE-2026-42897, has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog, with a CVSS score of 8.1. This vulnerability is being actively exploited by threat actors, prompting Microsoft to issue a warning. The flaw is related to improper neutralization of input, which can be leveraged by attackers to compromise Exchange Server instances. CISA's addition of this vulnerability to its catalog indicates a high level of concern and emphasizes the need for immediate attention from administrators. The exploitation status of CVE-2026-42897 is currently under discussion, determining whether a patch-now or monitor approach is necessary¹. This development matters to practitioners as it highlights the urgency of addressing this vulnerability to prevent potential breaches and data compromise.