CVE-2026-42897

HIGH KEV

Microsoft Exchange Server Spoofing Vulnerability

Title source: cna

Exploitation Summary

CVE-2026-42897 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 15, 2026. EIP tracks 1 public exploit from researchers including atiilla.

AI-analyzed exploit summary This repository contains a functional proof-of-concept demonstrating CVE-2026-42897, a vulnerability in Microsoft Exchange Health Checker where outbound IIS URL Rewrite rules are not detected, leading to false negatives in mitigation verification. The PoC script simulates the vulnerable parsing logic and compares it with a patched version to highlight the blind spot.

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Exploits (1)

nomisec WORKING POC

by atiilla · poc

https://github.com/atiilla/CVE-2026-42897

View Code ZIP pw:eip

This repository contains a functional proof-of-concept demonstrating CVE-2026-42897, a vulnerability in Microsoft Exchange Health Checker where outbound IIS URL Rewrite rules are not detected, leading to false negatives in mitigation verification. The PoC script simulates the vulnerable parsing logic and compares it with a patched version to highlight the blind spot.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Health Checker (CSS-Exchange)

No auth needed

Prerequisites: Access to Exchange Health Checker tool · IIS configuration with outbound URL Rewrite rules

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 15, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897

Vendor Advisory vendor-advisory patch

Microsoft Exchange Server Spoofing Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Scores

CVSS v3 8.1

EPSS 0.0251

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2026-05-15

VulnCheck KEV 2026-05-14

ENISA EUVD EUVD-2026-30343

CWE

CWE-79

Status published

Products (13)

microsoft/exchange_server

microsoft/exchange_server 2016 (24 CPE variants)

microsoft/exchange_server 2019 (15 CPE variants)

microsoft/exchange_server_subscription_edition < 15.02.2562.043

Microsoft/Microsoft Exchange Server 2016 Cumulative Update 23 -

Microsoft/Microsoft Exchange Server 2016 Cumulative Update 23 15.01.0.0 - 15.01.2507.069

Microsoft/Microsoft Exchange Server 2016 Cumulative Update 23 15.01.0.0 - publication

Microsoft/Microsoft Exchange Server 2019 Cumulative Update 14 -

Microsoft/Microsoft Exchange Server 2019 Cumulative Update 14 15.02.0.0 - 15.02.1544.041

Microsoft/Microsoft Exchange Server 2019 Cumulative Update 14 15.02.0.0 - publication

... and 3 more

Published May 14, 2026

KEV Added May 15, 2026

Tracked Since May 14, 2026