Security Bulletin: Microsoft Exchange Server Spoofing Vulnerability

Written by RedLegg's Cyber Threat Intelligence Team | 5/15/26 5:17 PM

About:

CVE-2026-20182 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager.

The vulnerability is caused by improper authentication handling within SD-WAN management and controller infrastructure. An unauthenticated remote attacker may exploit the flaw by sending crafted requests to affected systems.

Successful exploitation may allow attackers to gain unauthorized access to SD-WAN infrastructure, execute administrative actions, manipulate network orchestration functions, and potentially compromise enterprise-wide WAN management operations.

Cisco confirmed limited exploitation of this vulnerability, and it has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Microsoft Exchange Server Spoofing Vulnerability

Identifier: CVE-2026-42897

CVSS Score: 8.1 (High, CVSS v3.1)

PoC or Exploitation:

Microsoft confirmed active exploitation of this vulnerability in the wild.

Update/ Patch:

Microsoft has released mitigation guidance for this vulnerability while permanent remediation guidance continues to evolve.

Affected versions include:Microsoft Exchange Server Subscription EditionMicrosoft Exchange Server 2019Microsoft Exchange Server 2016

Microsoft advisory and mitigation guidance:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Microsoft Exchange Team guidance:https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498

Description:

CVE-2026-42897 is a spoofing vulnerability affecting Microsoft Exchange Server Outlook Web Access (OWA).

The vulnerability is caused by improper neutralization of input during web page generation, resulting in a cross-site scripting condition within Exchange OWA.

An attacker may exploit the vulnerability by sending a specially crafted email to a target user. Successful exploitation could allow spoofing attacks and unauthorized execution of malicious script content within the victim's browser session.

Mitigation Recommendation:

Immediately review and apply Microsoft mitigation guidance for CVE-2026-42897.

Enable Emergency Mitigation Service (EEMS) on supported Microsoft Exchange Server deployments to allow rapid deployment of Microsoft-issued mitigations.

Implement URL rewrite or filtering rules recommended by Microsoft to block exploitation attempts against Exchange OWA.

Restrict unnecessary external exposure of Exchange OWA services where operationally feasible.

Monitor Exchange logs, IIS logs, and email telemetry for suspicious crafted requests, anomalous OWA activity, or indicators of cross-site scripting exploitation.

Educate users regarding suspicious email content and unexpected prompts within Outlook Web Access sessions.

Conduct threat hunting and forensic review on exposed Exchange environments, especially where internet-facing OWA deployments existed prior to mitigation implementation.

View full post