Tomorrow Is The CISA Deadline For Exchange CVE-2026-42897. While You're Patching, Here Are Three Other Things That Hit This Week.

The U.S. Cybersecurity and Infrastructure Security Agency added Microsoft Exchange CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, with a Federal Civilian Executive Branch patch-or-mitigate deadline of May 29, 2026. That deadline is tomorrow. By close of business in Washington, every federal civilian agency running on-premises Exchange Server is required to have applied the mitigation or removed the vulnerable instance from public-facing infrastructure. Federal compliance is mandatory; non-federal compliance is sensible. The active exploitation is real, the patch is small, and the attacker tradecraft against Exchange has been documented for ten years across every named campaign that touched the platform — IronTiger, Hafnium, the entire ProxyLogon / ProxyShell post-2021 generation, and now the OWA-XSS vector that CVE-2026-42897 opened.

If you operate an on-premises Exchange Server and have not yet patched, tonight is your last quiet window. The vulnerability is being exploited via a crafted email — no authentication required, no user interaction beyond receiving the message. The patch is available from Microsoft Security Update Center. The mitigation, if you cannot patch immediately, is to disable the affected OWA endpoint at the perimeter until the patch is applied. This is the kind of CVE where the asymmetric cost favors the defender who acts in the next twelve hours — and disfavors the defender who acts in the next twelve days. DugganUSA's STIX feed has carried the CVE record since the original disclosure window in May. Tonight's update adds a federal-deadline marker to the record for any feed consumer who wants to know "is the window closing."

This is the customer-protective post. The Exchange CVE is the reason for the post. The other three items below are the related context that hit this week and that any defender consuming our feed should also have on the radar.

Marquis financial services breach — roughly four hundred thousand bank and credit union customers

Marquis is a financial services vendor providing technology services to United States community banks and credit unions. They disclosed a ransomware incident this week resulting in the exposure of approximately four hundred thousand customer records containing personal and financial data. The supply-chain blast radius matters: Marquis is a third-party service provider, which means the four hundred thousand affected individuals are distributed across multiple downstream banks and credit unions. The notification cascade is going to take weeks. If you are a community bank or credit union and any of your customer-facing systems use Marquis tooling, your customers are in the affected population whether you know yet or not. The relevant defender posture is to assume your data is in the affected set, monitor for unusual authentication patterns against retail banking surfaces, and pre-position fraud-monitoring before the inevitable wave of credential-stuffing and SIM-swap attempts against the exposed customer accounts.

Brightspeed telecommunications breach — one million customer records claimed by Crimson Collective

Brightspeed is a United States telecommunications and internet provider serving twenty states. Crimson Collective, a new aggressive cyber-extortion crew that we first surfaced in DugganUSA's March 2026 threat-landscape blog, has claimed the breach and asserts more than a million customer records exfiltrated. The Brightspeed disclosure is the most consequential operation Crimson Collective has executed to date. Their methodology centers on data-theft + leak-extortion without traditional ransomware encryption — a tradecraft profile that overlaps with ShinyHunters' SaaS-platform-pivot pattern but with what appears to be independent operator infrastructure. DugganUSA's adversary index now carries Crimson Collective as a standalone record alongside ShinyHunters, TeamPCP, and the other May 2026 active clusters. Defenders running telecom-adjacent customer-data systems should treat the actor as a sustained threat rather than a one-off opportunist.

Silent Ransom Group / Luna Moth / TG2729 — FBI advisory targeting law firms

The FBI issued an alert on May 27, 2026, naming Silent Ransom Group as an active threat targeting United States law firms. The group has been informally tracked since 2023 under several names including Luna Moth, Chatty Spider, and TG2729; the FBI's preferred current designation is Silent Ransom Group. Their methodology is unusually specific: phone-based social engineering against legal-sector help-desk teams, followed by abuse of legitimate remote-access tooling — RMM platforms, ScreenConnect-class software — to establish persistence and exfiltrate attorney-client-privileged documents. The extortion pressure they apply is calibrated to the privileged nature of the data: leak threats against legal-privileged material carry disproportionate ransom-payment leverage because the privilege itself is destroyed by public exposure. Any law firm with help-desk personnel who can reset MFA or push remote-access software should treat that workflow as a high-value attack surface and verify caller identity through out-of-band channels before any privileged action.

What ties the four items together

Three named extortion crews and one CVE on a federal patch deadline is the texture of a normal late-May week in the 2026 threat landscape. The interesting structural property is that all four items belong to the same defender posture: assume the indirect-trust artifact layer is hostile, treat third-party vendors as part of your blast radius, treat phone-based social engineering against help-desk teams as the standard initial-access vector, and patch the things CISA tells you to patch within the window CISA tells you to patch them. None of these are exotic primitives. All of them work because the median defender does not act fast enough on the average week.

The DugganUSA STIX feed at https://analytics.dugganusa.com/api/v1/stix-feed carries indicators on all four items. The adversaries index carries standalone records on Crimson Collective and Silent Ransom Group. The Exchange CVE record carries the federal-deadline marker. The feed is free; the API key is free; the corpus runs ahead of the news cycle on a structural margin that compounds. Tomorrow's patching window is small. Tonight is the best time to consume the feed.

The receipt is timestamped. The window is open. Patch the Exchange instance, audit the help-desk, watch the third-party vendors, and assume everything that hit this week will hit you eventually.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com