Microsoft security advisory (AV26-473) – Update 1

Serial number: AV26-473
Date: May 15, 2026

On May 14, 2026, Microsoft published a security advisory to address a critical vulnerability in the following products:

• Microsoft Exchange Server 2016 on premises versions (any update level)
• Microsoft Exchange Server 2019 on premises versions (any update level)
• Exchange Server Subscription Edition (SE) on premises versions (any update level)

Microsoft is aware of limited exploitation of CVE-2026-42897.

Update 1

On May 15, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to their Known Exploited Vulnerabilities (KEV) Database.

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates, when available.

• Microsoft Exchange Server Spoofing Vulnerability CVE-2026-42897 Security Vulnerability
• Exchange Emergency Mitigation (EM) service
• Exchange Team Blog - Addressing Exchange Server May 2026 vulnerability CVE-2026-42897
• CISA KEV: CVE-2026-42897