Patch Tuesday: Exchange CVE-2026-42897 finally gets a permanent fix after weeks on emergency mitigation  ·  SharePoint RCE patched  ·  CISA KEV supply chain triple expires today  ·  CYBERSIP.NET  ·  ISSUE 58
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 58June 9, 2026cybersip.net
Issue No. 58  ·  June 9, 2026  ·  3 items  ·  Under 5 min read
Today’s picture
June Patch Tuesday shipped this morning. The most significant item for organisations that follow this brief is the permanent fix for CVE-2026-42897, the Exchange Server XSS spoofing vulnerability that has been actively exploited since mid-May and has been running on emergency mitigation alone for the past four weeks. Administrators can now replace that temporary control with an actual patch. The release also patches CVE-2026-45659, a SharePoint RCE carrying CVSS 8.8 that requires authentication but no elevated privileges. The CISA KEV deadline for the DAEMON Tools, TanStack, and Nx Console supply chain triple expires today.
Today’s picture
3 items · Patch Tuesday
Exchange CVE-2026-42897 permanent fix finally ships SharePoint CVE-2026-45659 CVSS 8.8 RCE patched KEV supply chain triple deadline today 3 items this issue
Permanent FixExchange Server
Exchange CVE-2026-42897 finally has a permanent patch. Four weeks of emergency mitigation ends today. Apply the June update, confirm the patch is applied, and retire the temporary EM control.
This flaw has been tracked in this brief since Issue 34 on May 16, when it first surfaced as an actively exploited XSS in Outlook Web Access. It has sat in the monitoring strip through Issues 35 to 57, with only the Exchange Emergency Mitigation Service providing protection. Today it closes.
Patch TuesdaySharePoint
SharePoint CVE-2026-45659 CVSS 8.8 patched. Authenticated attacker with no elevated privileges executes code remotely on affected SharePoint Server versions.
Not confirmed exploited in the wild yet. Any authenticated user is in scope, so the attack surface covers everyone with a SharePoint account. Apply the June Patch Tuesday update to SharePoint Server today.
Expires TodayKEV Triple
CISA KEV deadline for DAEMON Tools, TanStack, and Nx Console expires today. Three distinct remediations, each with different completion criteria.
Update DAEMON Tools and rotate credentials from April–May installs. Run SCA covering lock files and container layers for TanStack. Confirm Nx Console is updated and rotate developer credentials. The extension update alone is not remediation.
Detailed intelligence
Full analysis
01 Permanent Fix Ships Exchange
Exchange CVE-2026-42897 permanent patch arrives. Four weeks on emergency mitigation ends today. Apply the June update and confirm the Exchange Emergency Mitigation control can be retired.
CVE-2026-42897 · Exchange Server
The June 9 Patch Tuesday update delivers the permanent fix for the Exchange Server XSS spoofing vulnerability in Outlook Web Access that has been actively exploited since May and tracked in this brief since Issue 34. Organisations using the Exchange Emergency Mitigation Service should apply the patch and verify the permanent fix is in place.
Executive Impact
Apply the June Patch Tuesday update to all on-premises Exchange Server deployments today. Once confirmed applied, the Exchange Emergency Mitigation temporary control can be retired. The EM service applied a temporary mitigation at the application layer. The patch addresses the underlying vulnerability in the code. Confirm actual patch status through the Exchange Management Shell before removing the mitigation.
Don’t Miss
CVE-2026-42897 has been in this brief’s monitoring strip continuously from Issue 35 through Issue 57. It first appeared as an actively exploited XSS in OWA that executes arbitrary JavaScript in the browser session of any user who opens a crafted email, including those with administrative access. The federal deadline passed May 29 with only emergency mitigation available. Four weeks between disclosure of active exploitation and permanent patch is an unusually long window for a critical Exchange vulnerability. The patch ships today. Apply it today.
CyberSip Take
This is the close of the longest-running item in the monitoring strip since this brief started. Four weeks of active exploitation with only a temporary mitigation available. Apply the June update, verify the patch is in place, and check Exchange access logs for any OWA anomalies during the May 13 to June 9 window if you have not already done so. The EM mitigation was effective for what it could do. The patch closes what it could not.
What happened

CVE-2026-42897 is a cross-site scripting vulnerability in the Outlook Web Access component of on-premises Exchange Server 2016, 2019, and Subscription Edition. When a victim opens a crafted email in OWA, the XSS payload executes arbitrary JavaScript in their browser session with their Exchange permissions. For users with administrative access to Exchange, that means arbitrary actions within the Exchange management interface. Microsoft first disclosed it on May 13 with active exploitation already confirmed.

The Exchange Emergency Mitigation Service applied a server-side control that reduced the attack surface but did not patch the underlying vulnerability. That temporary mitigation has been the only available protection for four weeks. The federal remediation deadline passed May 29 with no permanent fix available. Today’s June Patch Tuesday release delivers the permanent fix.

Administrators should apply the June update to all on-premises Exchange deployments and verify patch installation through the Exchange Management Shell. After confirming the permanent patch is in place, the EM mitigation can be removed.

Recommended actions
Derived from Notebookcheck June 2026 Patch Tuesday coverage and Microsoft Exchange MSRC advisory CVE-2026-42897, June 9, 2026.
02 Patch Tuesday SharePoint
SharePoint CVE-2026-45659 CVSS 8.8 patched. Any authenticated user can execute code remotely on affected SharePoint Server versions with no elevated privileges required.
CVE-2026-45659 · CVSS 8.8
The June Patch Tuesday release patches CVE-2026-45659 across all affected SharePoint Server versions. The vulnerability allows an authenticated attacker to execute code remotely without requiring administrative or elevated privileges. Not yet confirmed exploited in the wild.
Executive Impact
Any authenticated SharePoint user is in scope for this vulnerability, which in most organisations means the entire workforce. Apply the June Patch Tuesday update to SharePoint Server today. Internet-facing SharePoint deployments are the higher priority, but internal deployments should follow promptly given the low privilege requirement for exploitation.
Don’t Miss
SharePoint has appeared in this brief in five separate issues since April. CVE-2026-32201 was actively exploited and added to CISA KEV in April. CVE-2026-40365 and related SharePoint RCEs appeared in the May Patch Tuesday batch. CVE-2026-45659 is patched before exploitation has been confirmed, which represents an improvement over the April pattern. That said, SharePoint is a high-value target with consistent research attention. Apply this patch on the same timeline as the Exchange fix rather than treating it as lower urgency.
CyberSip Take
SharePoint at CVSS 8.8, authenticated but no elevated privileges. The attack surface is every SharePoint user in the organisation. The previous SharePoint CVE in this brief went from patch to active exploitation quickly. Apply today alongside the Exchange fix.
What happened

CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server addressed in the June 9 Patch Tuesday release. The vulnerability carries a CVSS score of 8.8 and Microsoft has assigned it important severity. An authenticated attacker with no elevated privileges can exploit the flaw to execute code remotely on affected SharePoint Server versions.

Microsoft has not confirmed exploitation in the wild at time of writing. However, SharePoint RCE vulnerabilities have historically moved from patch release to active exploitation within days when the barrier to exploitation is low authentication requirements rather than administrative access. CVE-2026-45659 fits that profile: authenticated but no elevated privileges means anyone with a SharePoint account is a potential starting point for exploitation.

Recommended actions
Derived from The Hacker News reporting on CVE-2026-45659 and June 2026 Patch Tuesday coverage, June 9, 2026.
03 Expires Today KEV Triple
CISA KEV deadline expires today: DAEMON Tools, TanStack, and Nx Console. Three separate remediations, each with a different completion test.
CVE-2026-8398 · CVE-2026-45321 · CVE-2026-48027
The June 10 federal deadline for the three supply chain CVEs added to KEV on May 27 closes today. Federal agencies are legally required to be remediated. Private organisations face the same operational risk and should be too.
Executive Impact
If any of the three remediations remain open, complete them today. Each requires different action: DAEMON Tools is a software update plus credential rotation, TanStack requires a software composition analysis covering lock files and container layers, and Nx Console requires both an extension update and developer credential rotation. The deadline today is the compliance line. The operational risk does not go away when the deadline passes.
Don’t Miss
The TanStack remediation is the one most likely to be incomplete because it requires looking beyond package.json. Lock files and cached CI build artifacts can still reference compromised versions even after the local package has been updated. Container images built during the compromise window that bundled affected versions as layers are also still exposed. A pipeline that installs from a cached layer containing a compromised TanStack version is not remediated just because the developer’s local files are clean. If TanStack is in your stack, verify the SCA covers all of those surfaces, not just the current package list.
CyberSip Take
These three items have been in this brief since Issue 46 on May 29. Today is the day. Complete the remediations and close them out. The deadline expiring does not change the underlying risk — stolen credentials from Nx Console or DAEMON Tools remain valid until rotated, regardless of what date it is.
Completion criteria

DAEMON Tools CVE-2026-8398: Update to version 12.6 or later, or uninstall. On any machine that ran an affected version between April and May 2026, rotate credentials regardless of whether the software has since been updated. The credential rotation is the remediation; the software update closes the future exposure.

TanStack CVE-2026-45321: Run a software composition analysis covering package.json, lock files, cached CI packages, and container images built during the compromise window. Confirm no references to the compromised package versions remain in any active build pipeline or deployed artifact.

Nx Console CVE-2026-48027: Confirm the Nx Console VS Code extension is on the patched version. On any developer machine that had the compromised extension installed during the May window, rotate GitHub tokens, cloud provider keys, CI/CD secrets, and npm tokens. The extension update closes future exposure; only the credential rotation addresses the past.

Recommended actions
Derived from CISA KEV catalog entries dated May 27, 2026, first covered in Issue 46.
Still watching
Aging items · days 2–5
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Cisco SD-WAN CVE-2026-20245 (Issue 56). Seventh zero-day exploited this year, no patch yet. Restrict CLI access to trusted administrators, apply published IOCs. Patch immediately when Cisco releases a fix. Day 3
Miasma worm (Issue 55). Perpetual loop mechanism confirmed. Any developer machine that installed affected npm packages June 1–6 needs full credential rotation regardless of whether the package has since been removed. Day 4
Cross-source standouts
01
Exchange CVE-2026-42897 is the longest-running monitoring strip item in this brief
First covered in Issue 34 on May 16. Exploited from day one of public disclosure. Federal deadline passed May 29 with no permanent patch available. Monitoring strip through Issues 35 to 57. Twenty-four days between confirmation of active exploitation and a permanent fix. That is an unusually long window for an actively exploited Exchange vulnerability, and the gap reflects both the complexity of the underlying fix and the limited options available to defenders during that period. The EM mitigation held the line. Today it gets replaced by something permanent.
02
Patch Tuesday is a closure event today, not just a patch event
Most Patch Tuesdays add to the list of things to do. Today’s closes two: the Exchange flaw that has been in the monitoring strip since May, and the CISA KEV supply chain triple that has been there since Issue 46. The Secure Boot certificate update also advances toward the June 26 completion target. Three closures on one day is genuinely notable. Security teams that complete all three today will end the day with a shorter outstanding items list than they started with, which has not been the pattern for most of May and June.
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.