CISA Adds Microsoft CVE-2026-42897 to KEV Catalog Under Active Exploitation
CISA added Microsoft vulnerability CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, confirming active exploitation in the wild.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft vulnerability CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, confirming that the flaw is being actively exploited in the wild. The entry elevates the vulnerability from a theoretical risk to an immediate operational concern for defenders, carrying a remediation deadline of approximately June 5, 2026, under CISA's Binding Operational Directive (BOD) 22-01.
CVE-2026-42897 is a newly disclosed Microsoft vulnerability. While detailed technical specifics remain limited in the initial KEV entry, the inclusion signals that CISA has verified in-the-wild exploitation activity. The vulnerability affects Microsoft software, and active exploitation means threat actors are already leveraging it to compromise unpatched systems. No ransomware association has been reported for this CVE at the time of addition, but active exploitation alone warrants urgent attention.
The KEV catalog entry carries a binding operational directive for U.S. federal civilian executive branch agencies, which must apply vendor-supplied mitigations or remove the affected product from agency networks by the remediation due date. For this CVE, the standard three-week remediation window applies, making the deadline approximately June 5, 2026. Private-sector organizations and other enterprises should treat this KEV addition as a high-priority signal and apply available patches or mitigations immediately.
Defenders are advised to monitor Microsoft's Security Response Center for the corresponding advisory, apply patches as soon as they are available, and validate that mitigations are in place across all affected assets. Threat-hunting teams should review logs for indicators of compromise related to this CVE and ensure detection coverage is updated. The addition of CVE-2026-42897 continues a pattern of CISA rapidly cataloging Microsoft flaws under active exploitation, reflecting the persistent threat landscape targeting widely deployed Microsoft products.
This KEV addition comes amid a broader wave of CISA activity in May 2026, including the addition of multiple other Microsoft flaws, Cisco CVE-2026-20182, and Ivanti CVE-2026-6973. The agency's aggressive cataloging underscores the importance of timely patching for organizations of all sizes. As threat actors increasingly weaponize newly disclosed vulnerabilities, the KEV catalog serves as a critical early-warning system for the cybersecurity community.
Organizations should prioritize patching CVE-2026-42897 across all affected systems, particularly internet-facing assets. While no specific exploitation details have been publicly released, the active exploitation confirmation demands immediate action. The vulnerability's inclusion in the KEV catalog also means that federal contractors and critical infrastructure operators may face contractual obligations to remediate within the specified timeline.