InfoSec Briefing - May 16, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Saturday, May 16, 2026. We have one critical security development to cover today. All attribution is by the article authors. All article analysis is automated.

CISA has added a critical Microsoft Exchange Server vulnerability to its Known Exploited Vulnerabilities catalog. The cross-site scripting flaw affects Exchange 2016, 2019, and Subscription Edition, allowing unauthenticated attackers to execute spoofing attacks against Outlook on the web through crafted network requests. This is actively exploited as a zero-day against internet-facing Exchange servers. Organizations must immediately apply Microsoft security updates, run the Exchange on-premises Mitigation Tool, and check server logs for unauthorized access and suspicious web requests.

That concludes today's briefing.

📰 Articles Covered

CVE-2026-42897 - CISA KEV

**CVE-2026-42897** is a high-severity security vulnerability currently being exploited in the wild as a zero-day .

### Affected Product and Vendor
- **Vendor:** Microsoft Corporation
- **Product:** Microsoft Exchange Server, specifically the **Outlook on the web (OWA)** component

### Vulnerability Details
- **Type:** Reflected Cross-Site Scripting (XSS) (CWE-79)
- **CVSS Score:** 8.1
- **Impact:** The vulnerability stems from improper neutralization of user-supplied input during web page generation . It allows unauthenticated attackers to perform spoofing over a network and execute arbitrary scripts within the context of the user's session .

### Exploitation (MITRE ATT&CK T1190)
Attackers are exploiting this vulnerability against internet-facing Exchange servers by sending **crafted emails** to targets . By leveraging the reflected XSS flaw, attackers can manipulate the OWA interface to perform spoofing attacks . While specific threat actor groups have not been publicly named, the active exploitation as a zero-day indicates a high level of interest from malicious entities .

### Immediate Actions for Defenders
Organizations running on-premises Microsoft Exchange Servers should take the following steps immediately:

- **Download the Mitigation Tool:** Obtain the latest version of the **Exchange on-premises Mitigation Tool (EOMT)** from the official Microsoft link (aka[.]ms/UnifiedEOMT) .
- **Apply Mitigation:** Run the script via an elevated Exchange Management Shell (EMS) .
- For a single server: `.\EOMT.ps1 -CVE "CVE-2026-42897"`
- For all servers (excluding Edge roles): `Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"`