Microsoft CVE-2026-42897 Added to CISA KEV Under Active Exploitation
Microsoft vulnerability CVE-2026-42897 was added to CISA's Known Exploited Vulnerabilities catalog on May 15, 2026, confirming active exploitation in the wild.
Key findings
- CVE-2026-42897 is a Microsoft vulnerability confirmed actively exploited in the wild
- Added to CISA KEV catalog on May 15, 2026, with a remediation deadline of approximately June 5, 2026
- No ransomware association reported for this CVE at the time of addition
- Federal agencies must patch or mitigate by the KEV deadline; all organizations should prioritize remediation
- Threat-hunting teams should review logs for exploitation indicators linked to this CVE
Microsoft's CVE-2026-42897 was added to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026. The entry confirms that this vulnerability is being actively exploited in the wild, elevating it from a theoretical risk to an immediate concern for defenders.
CVE-2026-42897 is a newly disclosed Microsoft vulnerability. While detailed technical specifics remain limited in the initial KEV entry, the inclusion in the catalog signals that CISA has verified in-the-wild exploitation activity. The vulnerability affects Microsoft software, and active exploitation means threat actors are already leveraging it to compromise unpatched systems.
The KEV catalog entry carries a binding operational directive for U.S. federal civilian executive branch agencies, which must apply vendor-supplied mitigations or remove the affected product from agency networks by the remediation due date. For this CVE, the standard three-week remediation window applies, making the deadline approximately June 5, 2026.
No ransomware association has been reported for CVE-2026-42897 at this time. However, active exploitation alone warrants urgent attention, as unpatched systems remain exposed to compromise. Private-sector organizations and other enterprises should treat this KEV addition as a high-priority signal and apply available patches or mitigations immediately.
Defenders are advised to monitor Microsoft's Security Response Center for the corresponding advisory, apply patches as soon as they are available, and validate that mitigations are in place across all affected assets. Threat-hunting teams should review logs for indicators of compromise related to this CVE and ensure detection coverage is updated.