CISA orders fed agencies to patch new Exchange flaw by Monday
CISA has issued an emergency directive ordering all Federal Civilian Executive Branch (FCEB) agencies to mitigate a critical Microsoft Exchange hybrid vulnerability tracked as CVE-2025-53786 by Monday morning at 9:00 AM ET.
Federal Civilian Executive Branch (FCEB) agencies are non-military agencies within the US executive branch, including the Department of Homeland Security, Department of the Treasury, Department of Energy, and Department of Health and Human Services.
The flaw tracked as CVE-2025-53786 allows attackers who gain administrative access to on-premises Exchange servers to move laterally into Microsoft cloud environments, potentially leading to complete domain compromise.
The vulnerability impacts Microsoft Exchange Server 2016, 2019, and the Subscription Edition.
In hybrid configurations, Exchange Online and on-premises servers share the same service principal, which is a shared trust relationship used to authenticate with each other.
An attacker with admin privileges on an on-premise Exchange server can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate. This technique allows the attackers to spread laterally from the local network into the company’s cloud environment, potentially compromising the company’s entire active directory and infrastructure.
To make matters worse, Microsoft says cloud-based logging tools like Microsoft Purview may not log malicious activity if it originates from on-prem Exchange, making it hard to detect exploitation.
This flaw comes after Microsoft released guidance and an Exchange server hotfix in April 2025 to support a new architecture that uses a dedicated hybrid application, rather than the shared one, as part of its Secure Future Initiative.
Yesterday, security researcher Dirk-Jan Mollema of Outsider Security demonstrated how this shared service principal could be exploited in a post-exploitation attack during a Black Hat presentation.
The researcher told BleepingComputer that he reported the flaw three weeks before the talk, to give Microsoft advance warning. In coordination with the presentation, Microsoft issued the CVE-2025-53786 CVE and guidance on how to mitigate it.
“I did not originally consider this a vulnerability because the protocol that is used for these attacks was designed with the features covered during the talk, and is just in general lacking important security controls,” Mollema told BleepingComputer.
“The report describing the possibilities for attackers was sent as a heads up to the MSRC 3 weeks before Black Hat and the disclosure was coordinated with them. Aside from this guidance Microsoft also mitigated an attack path that could lead to full tenant compromise (Global Admin) from on-prem Exchange.”
The good news is that Microsoft Exchange customers who previously implemented the hotfix and the April guidance are already protected from this new post-exploitation attack.
However, those who have not implemented the mitigations are still impacted and should install the hotfix and follow Microsoft’s instructions (doc 1 and doc 2) on deploying the dedicated Exchange hybrid app.
“Only applying the hotfix is not sufficient in this case, there are manual follow-up actions required to migrate to a dedicated service principal,” explained Mollema.
“The urgency from a security point of view depends on how much admins consider isolation between on-prem Exchange resources and cloud-hosted resources important. In the old setup, Exchange hybrid has full access to all resources in Exchange online and in SharePoint.”
Mollema also reiterated that his technique is a post-exploitation attack, meaning an attacker already has to have compromised the on-premises environment or the Exchange servers, and in this case, have administrator privileges.
According to CISA’s Emergency Directive 25-02, federal agencies must now mitigate the attack by first taking an inventory of their Exchange environments using Microsoft’s Health Checker script. Any servers that are no longer supported by the April 2025 hotfix, such as end-of-life Exchange versions, must be disconnected.
All remaining servers must be updated to the latest cumulative updates (CU14 or CU15 for Exchange 2019, and CU23 for Exchange 2016) and patched with the April hotfix. Afterward, administrators must run Microsoft’s ConfigureExchangeHybridApplication.ps1 PowerShell script to switch from the shared to the dedicated service principal in Entra ID.
CISA warns that failing to implement these mitigations could result in hybrid environments being completely compromised.
Agencies must complete the technical remediation steps by Monday morning and submit a report to CISA by 5:00 PM the same day.
While non-government organizations are not required to take action under this directive, CISA urges all organizations to mitigate the attack.
“The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment,” said CISA Acting Director Madhu Gottumukkala.
“While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive.”
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link