CISA has added two critical vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog between 2026-05-14 and 2026-05-15. Both are confirmed to be actively exploited in the wild.
CVE-2026-42897 | Microsoft Exchange Server XSS
- Vulnerability: Cross-Site Scripting (XSS) during web page generation in Outlook Web Access (OWA).
- Exploitation Method: An attacker can inject malicious scripts into OWA views. While XSS is often client-side, in the context of Exchange, it is frequently used to steal session cookies, bypass MFA, or deliver subsequent payloads via the trusted Exchange interface.
- Threat Actors: While specific ransomware affiliation is currently listed as "Unknown," historically, Exchange vulnerabilities are rapidly weaponized by actors like LockBit, Cl0p, and state-sponsored APTs (e.g., Volt Typhoon) for initial access or persistence.
- CVSS Score: 7.1 (High) - Estimated.
- Public PoC: Not yet widely available, but active exploitation suggests exploit material exists in private circles.
- CISA Action: Due by 2026-06-05.
CVE-2026-20182 | Cisco Catalyst SD-WAN Auth Bypass
- Vulnerability: Authentication bypass in the Cisco Catalyst SD-WAN Manager and Controller.
- Exploitation Method: Unauthenticated, remote attackers can bypass authentication checks to gain administrative control over the SD-WAN fabric. This allows for lateral movement, network traffic interception, and ransomware deployment across the WAN.
- Threat Actors: Critical infrastructure targeted. Highly attractive for initial access brokers (IABs) and nation-state actors seeking persistent network footholds.
- CVSS Score: 9.8 (Critical) - Estimated.
- Public PoC: Suspected to be circulating in exploit kits given the "active exploitation" designation so soon after disclosure.
- CISA Action: Due by 2026-06-04.
Affected Organizations Assessment
High-Risk Environments:
- Microsoft Exchange: Any enterprise utilizing on-premises Exchange Server (2013, 2016, 2019) is exposed. Organizations that have not fully migrated to cloud-only email posture are at immediate risk of credential theft via OWA.
- Cisco Catalyst SD-WAN: Large-scale enterprises, managed service providers (MSPs), and critical infrastructure sectors (Energy, Healthcare, Finance) relying on Cisco SD-WAN for branch connectivity.
Exposure Scale:
- Exchange: High exposure. OWA is a standard internet-facing attack surface. Patch adoption for Exchange is historically slow due to maintenance window requirements.
- Cisco SD-WAN: Medium-High exposure. While fewer instances exist than Exchange, the impact of a compromise is total network control.
Sector Impact:
- Healthcare & Finance: Typically see the fastest exploitation of Exchange flaws due to the high value of intercepted email communications.
- Manufacturing & Logistics: High usage of SD-WAN makes them prime targets for the Cisco vulnerability.
Detection Engineering
Sigma Rules
YAML
---
title: Potential Microsoft Exchange OWA XSS Exploitation
id: 0f8a1d2e-3b4c-4f5a-9b1c-2d3e4f5a6b7c
description: Detects potential exploitation of XSS vulnerabilities in Exchange OWA via suspicious URL patterns or encoded script tags in User-Agent/Referer headers.
status: experimental
date: 2026/05/15
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: windows
service: iis
detection:
selection:
cs-uri-stem|contains: '/owa/'
filter_xss:
cs-uri-query|contains:
- '<script'
- 'javascript:'
- 'onerror='
- 'onload='
condition: selection and filter_xss
falsepositives:
- Legitimate scanning tools (rare)
level: critical
---
title: Cisco Catalyst SD-WAN Authentication Bypass Attempt
id: 1a9b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects successful administrative access to Cisco SD-WAN Manager without prior authentication events, indicative of CVE-2026-20182 exploitation.
status: experimental
date: 2026/05/14
author: Security Arsenal Research
logsource:
product: cisco
service: sdwan
detection:
selection:
event|contains: 'API_LOGIN_SUCCESS'
filter_auth:
src_ip|contains:
- '10.0.0.0/8'
- '192.168.0.0/16'
- '172.16.0.0/12'
timeframe: 1m
condition: selection and not filter_auth
falsepositives:
- Legitimate admin login from new IP (low volume)
level: critical
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for OWA XSS Indicators (CVE-2026-42897)
let SuspiciousPatterns = dynamic(["<script", "javascript:", "onerror=", "onload="]);
W3CIISLog
| where csUriStem contains "/owa/"
| parse csUriQuery with * "=" QueryValue
| where QueryValue has_any (SuspiciousPatterns) or csUserAgent has_any (SuspiciousPatterns)
| project TimeGenerated, sSiteName, cIP, csUriStem, csUriQuery, csUserAgent, scStatus
| summarize count() by bin(TimeGenerated, 5m), cIP
| order by count_ desc
Remediation Script (PowerShell)
PowerShell
# Exchange Patch Remediation Validator for CVE-2026-42897
# Checks against hypothetical vulnerable build numbers for 2026 context
Write-Host "[+] Checking Microsoft Exchange Servers for CVE-2026-42897 Vulnerability..." -ForegroundColor Cyan
$ExchangeServers = Get-ExchangeServer | Sort-Object Name
$VulnerableBuilds = @(15.02.0986.000, 15.01.2541.000, 15.00.1497.000) # Placeholder builds for 2026 context
$PatchStatus = @()
foreach ($Server in $ExchangeServers) {
$AdminDisplayVersion = $Server.AdminDisplayVersion
$VersionObject = [version]$AdminDisplayVersion
# Logic: Check if version is older than the hypothetical patched release (e.g., 15.02.0999.000)
# In a real scenario, insert the specific Build Number from the MSRC advisory here.
$SecureBuild = [version]"15.02.0999.000"
if ($VersionObject -lt $SecureBuild) {
$Status = "VULNERABLE"
Write-Host "[-] $($Server.Name): $AdminDisplayVersion is VULNERABLE." -ForegroundColor Red
} else {
$Status = "PATCHED"
Write-Host "[+] $($Server.Name): $AdminDisplayVersion is Patched." -ForegroundColor Green
}
$PatchStatus += [PSCustomObject]@{
ServerName = $Server.Name
Version = $AdminDisplayVersion
Status = $Status
}
}
$PatchStatus | Format-Table -AutoSize
# Optional: Trigger Cumulative Update Installer if vulnerable found
# Start-Process -FilePath "\\path\to\ExchangeCU2026.exe" -ArgumentList "/mode:install /role:ClientAccess,Mailbox /IAcceptExchangeServerLicenseTerms"
---
Patch & Remediation Priorities
Priority Order:
- CVE-2026-20182 (Cisco Catalyst SD-WAN): CRITICAL. Authentication bypass allows full network takeover without credentials. Patch immediately or isolate management interfaces.
- CVE-2026-42897 (Microsoft Exchange): HIGH. Vulnerability leads to session hijacking. Apply cumulative updates to OWA components immediately.
Patch Details & Deadlines:
| CVE | Vendor | Product | Patch Version / Advisory | Deadline |
|---|---|---|---|---|
| CVE-2026-20182 | Cisco | Catalyst SD-WAN | See Cisco Security Advisory cisco-sa-sdwan-bypass-2026 | 2026-06-04 |
| CVE-2026-42897 | Microsoft | Exchange Server | See KB502XXXX / May 2026 Security Update | 2026-06-05 |
Workarounds:
- Cisco: Disable the web management interface (HTTP/HTTPS) on the WAN interface until patched, enforcing access only via Out-of-Band (OOB) management or VPN with strict ACLs.
- Microsoft: If patching is delayed, enforce MFA and restrict OWA access via geographic IP blocking or Conditional Access policies to mitigate credential theft impact.
Related Resources
Security Arsenal Penetration Testing Managed SOC & MDR AlertMonitor Platform From The Dark Side Intel Hub
darkwebcisa-kevactively-exploitedransomwarecve-2026-42897cve-2026-20182microsoft-exchangecisco-catalyst
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.