The federal deadline to patch CVE-2026-42897, a spoofing vulnerability in on-premises Microsoft Exchange Server, is today, May 29, per CISA's Known Exploited Vulnerabilities catalog. Microsoft has confirmed active exploitation. The flaw carries a CVSS score of 8.1 and stems from a cross-site scripting weakness that lets an attacker spoof content through a crafted email, The Hacker News reported.
The scope is on-premises Exchange specifically. Exchange Online is not in the affected set, so organizations that finished their cloud migration are clear of this one. That distinction matters because the population still running on-prem Exchange skews toward government, healthcare, and mid-market firms that deferred migration. That is exactly the set CISA's binding directive can compel, and the set least likely to patch on its own.
A CVSS of 8.1 understates the operational risk. A spoofing bug, delivered by email, on a mail server, in an environment where credential phishing is already the top initial-access vector, is a clean setup for follow-on intrusion. Microsoft shipped the fix in the May update cycle alongside a separate SharePoint remote-code-execution flaw (CVE-2026-45659, CVSS 8.8) that needs no special conditions to exploit. Both belong in the same patch window.
Bottom Line
If you still run Exchange on-prem, today is the deadline, and the spoofing-plus-phishing combination makes this worse than its 8.1 score reads. Patch Exchange and SharePoint together.