The Cybersecurity and Infrastructure Security Agency is giving agencies through the weekend to patch a critical vulnerability in hybrid configurations of Microsoft’s widely used Exchange product.
In an emergency directive issued early Thursday afternoon, CISA is giving agencies until 9 a.m. on Monday, Aug. 11, to mitigate the Microsoft Exchange vulnerability. CISA said it was not aware of active exploitation of the vulnerability, but that it could “severely impact an organization’s identity integrity and administrative access across cloud-connected services” if left unaddressed.
“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend,” CISA Acting Director Madhu Gottumukkala said as part of a statement. “The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment. While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive.”
CISA said the vulnerability “poses a grave risk” to organizations operating Exchange hybrid-joined configurations that haven’t yet followed patch guidance released by Microsoft in April.
“Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment,” the agency wrote in its alert.
Under the directive, agencies are required to assess their Microsoft Exchange environment and disconnect any end-of-life servers that were not eligible for an April 2025 update.
Agencies that maintain on-premises Exchange servers are required to perform a number of additional mitigations by Monday morning.
In a separate advisory issued Wednesday evening, CISA said the “high-severity vulnerability” could allow a hacker to exploit vulnerable hybrid configurations. Left unaddressed, the exploit could allow hackers to achieve “total domain compromise,” CISA wrote.
Microsoft said it had not observed any exploitation of the vulnerability, but urged organizations with implicated environments to immediately apply mitigations.
Black Hat connections
Microsoft said it discovered the severe vulnerability as part of the general Exchange hybrid changes released in April.
“Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement,” Microsoft wrote in a vulnerability summary.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
At the Black Hat cybersecurity conference in Las Vegas, Nev., on Wednesday, independent security researcher Dirk-jan Mollema demonstrated the exploit. He said he was able to introduce several new lateral movement techniques, allowing him to bypass authentication and “stealthily exfiltrate data” using on-premises Active Directory as a starting point.
https://www.blackhat.com/us-25/briefings/schedule/#advanced-active-directory-to-entra-id-lateral-movement-techniques-46500
Microsoft bugs
The Exchange vulnerability is the latest to hit Microsoft products and services that are widely relied upon by federal agencies and organizations across the world.
In July, hackers began exploiting a previously unknown “zero day” vulnerability in Microsoft’s SharePoint software. CISA gave agencies a tight deadline to mitigate that vulnerability as well.
Nevertheless, multiple federal agencies were reportedly hacked as a result of the SharePoint exploit.
Some cybersecurity experts have criticized Microsoft for lax cybersecurity practices and called on the government to reduce its reliance on the tech giant.
In 2024, the Cyber Safety Review Board — which was disbanded by the Trump administration earlier this year — released a highly critical report on Microsoft’s cloud security practices. Following the report, the company accepted responsibility for the findings and committed to making security improvements.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
