<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
margin-bottom:2.4pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Aptos",sans-serif;
color:#0F4761;
font-style:italic;}
span.first-word1
{mso-style-name:first-word1;
font-weight:bold;
text-decoration:underline;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:192546566;
mso-list-type:hybrid;
mso-list-template-ids:1318239224 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1307781742;
mso-list-template-ids:-1362721806;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1434783903;
mso-list-template-ids:-1362721806;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1663507637;
mso-list-template-ids:-1362721806;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:1884319943;
mso-list-template-ids:-1362721806;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:red">NOTE: **Updates will be italicized and red**<span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></b></p>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Good morning,<o:p></o:p></span></p>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The SOC Services team is reporting on the vulnerability
<b>CVE-2026-42897</b> </span><span lang="EN" style="font-family:"Calibri",sans-serif">Urgent Mitigations Required for Exchange Server Zero-Day vulnerability
<span style="color:black">affecting On-Premises Enterprise </span>Microsoft Exchange
<span style="color:black">Email Infrastructure. Because of active in-the-wild exploitation has been confirmed</span> and<span style="color:black">
</span>n<span style="color:black">o official security update is available yet; we are providing this in-depth information.
<o:p></o:p></span></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">History:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal">
</span><span style="font-family:"Calibri",sans-serif;font-weight:normal">On May 14, 2026, Microsoft disclosed CVE-2026-42897, a zero-day cross-site scripting (XSS) and spoofing vulnerability in on-premises Microsoft Exchange Server</span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal">.
The CVSS v3.x base score is 8.1 (HIGH) as assigned Microsoft.</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext;font-weight:normal"><o:p></o:p></span></h4>
<h4 style="margin-top:0in"><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></h4>
<h4 style="margin-top:0in"><span lang="EN" style="font-family:"Calibri",sans-serif">Affected Versions<o:p></o:p></span></h4>
<ul style="margin-top:0in" type="disc" id="affectedVersionsList">
<li class="MsoNormal" style="color:black;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo1">
<span lang="EN" style="font-family:"Calibri",sans-serif">Microsoft Exchange Server 2016 (Any Cumulative Update level)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo1">
<span lang="EN" style="font-family:"Calibri",sans-serif">Microsoft Exchange Server 2019 (Any Cumulative Update level)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo1">
<span lang="EN" style="font-family:"Calibri",sans-serif">Microsoft Exchange Server Subscription Edition (SE) (Any Update level)<o:p></o:p></span></li></ul>
<h4 style="margin-top:0in"><span lang="EN" style="font-family:"Calibri",sans-serif">Fixed Versions<o:p></o:p></span></h4>
<ul style="margin-top:0in" type="disc" id="fixedVersionsList">
<li class="MsoNormal" style="color:black;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo2">
<span lang="EN" style="font-family:"Calibri",sans-serif">Not permanently fixed. Future security updates will target Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14 / CU15<o:p></o:p></span></li></ul>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Microsoft Exchange Server is a physical or virtual on-premises server solution providing enterprise-grade email, calendar, contact management, and collaboration services. The affected component
is Outlook on the web (OWA), the web-browser based portal used by remote or desktop users to access mailboxes directly via HTTPS</span><span lang="EN" style="font-family:"Calibri",sans-serif">.<span style="color:black"><o:p></o:p></span></span></p>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">More information regarding this vulnerability can be found here:
<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
<span lang="EN" style="font-family:"Calibri",sans-serif"><a href="https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498">Addressing Exchange Server May 2026 vulnerability CVE-2026-42897</a>
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
<span lang="EN" style="font-family:"Calibri",sans-serif"><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897</a><o:p></o:p></span></li></ul>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Intelligence:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal">
</span><i><span lang="EN" style="font-family:"Calibri",sans-serif;color:red;font-weight:normal">On May 15, 2026, CISA confirmed the vulnerability as being exploited in the wild and has listed the vulnerability in the Known Exploited Vulnerabilities Catalog.</span></i><span lang="EN" style="font-family:"Calibri",sans-serif;color:red;font-weight:normal">
</span><span lang="EN" style="font-family:"Calibri",sans-serif;color:windowtext;font-weight:normal">Threat actors are utilizing specially crafted emails to execute arbitrary JavaScript within the browser sessions of authenticated Outlook on the web (OWA) users,
creating an immediate risk of session hijacking, unauthorized data access, and corporate email environment compromise.
</span><i><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></i></h4>
<p><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Exploitability:</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"> Network
<br>
<strong><span style="font-family:"Calibri",sans-serif">Complexity:</span></strong> Low<br>
<strong><span style="font-family:"Calibri",sans-serif">User Interaction:</span></strong> Required<br>
<strong><span style="font-family:"Calibri",sans-serif">Remotely Exploitable:</span></strong> Yes<br>
<strong><span style="font-family:"Calibri",sans-serif">Proof of Concept:</span></strong> Not publicly disclosed<br>
<strong><span style="font-family:"Calibri",sans-serif">Zero Day:</span></strong> Yes
<o:p></o:p></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Workarounds:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> Enable and verify the Exchange Emergency Mitigation Service (EEMS)
to automatically deploy IIS URL Rewrite Rule mitigation 'M2.1.0' (or subsequent M2.1.x iterations); For air-gapped or disconnected environments, manually apply the mitigation rule using the Exchange On-premises Mitigation Tool (EOMT) script via an elevated
Exchange Management Shell; Instruct administrative or high-value personnel to temporarily process mail exclusively via the Outlook Desktop Client or mobile applications, avoiding OWA interactions until the mitigation is confirmed active<o:p></o:p></span></h4>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">How it Works:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> The attack leverages a Stored Cross-Site Scripting (XSS) delivery
pipeline due to improper input sanitization during web page generation (CWE-79). An unauthenticated attacker crafts a malicious email containing malformed HTML, nested object elements, or specific handling attributes that evade the OWA service-side sanitization
layer. When a target user authenticates to OWA and opens or previews the email, the OWA rendering module reflects the unsanitized string into the browser document object model (DOM). Because this happens dynamically inside the logged-in web context of OWA,
the browser executes the payload implicitly under the security context of the user session, bypassing standard Same-Origin Policy (SOP) controls<o:p></o:p></span></h4>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Post-Exploit Impact:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<ul type="disc" id="postExploitImpactList">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Session Hijacking and Token Theft: Arbitrary script execution allows the extraction of active session cookies and authorization tokens from browser storage, enabling attackers to maintain persistence
inside the mailbox without possessing the user's password (CWE-79)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Data Exfiltration and Lateral Impersonation: Automated API calls can be executed silently on behalf of the victim to download entire mailboxes, modify inbox forwarders, search sensitive directories, or
distribute further internal phishing emails to move laterally within the organization (CWE-200)<o:p></o:p></span></li></ul>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Indicators of Compromise (IoCs):</span></span><u><span style="color:windowtext"><o:p></o:p></span></u></h4>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<thead>
<tr>
<td style="border:solid #CCCCCC 1.0pt;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Type<o:p></o:p></span></b></p>
</td>
<td style="border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Value<o:p></o:p></span></b></p>
</td>
<td style="border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Description / Notes<o:p></o:p></span></b></p>
</td>
<td style="border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Source<o:p></o:p></span></b></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td style="border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">IIS URL Rewrite Rule Logs<o:p></o:p></span></b></p>
</td>
<td style="border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">M2.1.0 / M2.1.x Rule matches<o:p></o:p></span></p>
</td>
<td style="border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Inbound HTTP requests modified or dropped by the EEMS/EOMT URL Rewrite configuration on Frontend IIS servers indicate blocked exploitation
attempts<o:p></o:p></span></p>
</td>
<td style="border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Microsoft Security Team<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Application Event Log / IIS Errors<o:p></o:p></span></b></p>
</td>
<td style="border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">MSExchangeOWACalendarAppPool Fatal Communication Error<o:p></o:p></span></p>
</td>
<td style="border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">An increase in event IDs tracking fatal communication errors within MSExchangeOWACalendarAppPool or 500/503 errors on the OWACalendar.Proxy
endpoints can serve as a side-effect marker for applied mitigations or anomalous OWA exploitation telemetry<o:p></o:p></span></p>
</td>
<td style="border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Enterprise Blue Team Field Intelligence<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Tenable Plugins:</span></span><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal;text-decoration:none">
</span></span><span style="font-family:"Calibri",sans-serif;font-weight:normal">As of the release of this Vulnerability Notification, Tenable has not published any plugins for this CVE.</span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Recommended Actions:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<p><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Date Added to KEV Catalog:</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">
</span><i><span lang="EN" style="font-family:"Calibri",sans-serif;color:red">5/15/26</span></i><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><br>
<strong><span style="font-family:"Calibri",sans-serif">Due Date for Remediation:</span></strong>
</span><i><span lang="EN" style="font-family:"Calibri",sans-serif;color:red">5/29/26</span></i><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo5">
<span lang="EN" style="font-family:"Calibri",sans-serif">Verify immediately that your on-premises Exchange servers have an operating version dating at or later than March 2023 to ensure compatibility with emergency metadata streams<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo5">
<span lang="EN" style="font-family:"Calibri",sans-serif">Confirm the active status of the Exchange Emergency Mitigation Service (EEMS). Open an elevated Exchange Management Shell (EMS) and run the Exchange Health Checker script (<a href="https://aka.ms/ExchangeHealthChecker">https://aka.ms/ExchangeHealthChecker</a>)
to explicitly audit the HTML output for applied 'M2' status<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo5">
<span lang="EN" style="font-family:"Calibri",sans-serif">Verify host has not been compromised before applying patches.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo5">
<span lang="EN" style="font-family:"Calibri",sans-serif">Apply appropriate updates provided by the vendor to vulnerable systems after testing.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo5">
<span lang="EN" style="font-family:"Calibri",sans-serif">Run all software as a non-privileged user to reduce the impact of a successful attack.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo5">
<span lang="EN" style="font-family:"Calibri",sans-serif">Apply the Principle of Least Privilege to all systems and services.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><b><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></b></p>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;color:black">EIS Security Operations Center</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Enterprise Information Services</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Cyber Security Services | CSS</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">SOC Hotline: (503) 378-5930</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:SOC@EIS.OREGON.GOV"><span style="color:#467886">SOC@EIS.OREGON.GOV</span></a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black"><img border="0" width="54" height="54" style="width:.5625in;height:.5625in" id="Picture_x0020_274158764" src="cid:image004.png@01DCE44C.1CB78970"></span><span style="font-size:11.0pt;color:black"> <img border="0" width="205" height="53" style="width:2.1354in;height:.552in" id="Picture_x0020_945162415" src="cid:image003.png@01DCE44C.1CB78970"></span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span><b><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</body>
</html>