CISA Issues Urgent Directive: Federal Agencies Must Patch Critical Exchange Flaw by Monday

CISA Issues Urgent Directive: Federal Agencies Must Patch Critical Exchange Flaw by Monday

CISA Issues Urgent Directive: Federal Agencies Must Patch Critical Exchange Flaw by Monday

CISA Issues Urgent Directive: Federal Agencies Must Patch Critical Exchange Flaw by Monday
Image from BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, ordering all Federal Civilian Executive Branch (FCEB) agencies to immediately address a critical Microsoft Exchange hybrid vulnerability, CVE-2025-53786. Agencies face a strict deadline of Monday, August 11, 2025, at 9:00 AM ET to implement the necessary mitigations.

This severe flaw allows attackers with administrative access to on-premises Exchange servers to move laterally into Microsoft cloud environments, potentially leading to a complete compromise of an organization’s entire domain. The vulnerability impacts Microsoft Exchange Server 2016, 2019, and the Subscription Edition, particularly in hybrid configurations where on-premises and cloud servers share a trust relationship.

The urgent directive follows a recent disclosure by security researcher Dirk-Jan Mollema of Outsider Security, who demonstrated the exploit during a Black Hat presentation yesterday, August 7, 2025. Microsoft, in coordination with Mollema, subsequently issued the CVE and provided mitigation guidance.

While Microsoft had previously released a hotfix and guidance in April 2025 as part of its Secure Future Initiative, CISA warns that many organizations have not fully implemented the required steps. The mitigation involves more than just applying the hotfix; it requires manual follow-up actions to migrate to a dedicated service principal.

CISA’s Emergency Directive 25-02 mandates federal agencies to first inventory their Exchange environments, disconnect unsupported servers, and then update all remaining servers to the latest cumulative updates (CU14/CU15 for Exchange 2019, CU23 for Exchange 2016) and apply the April hotfix. Crucially, administrators must then run a specific PowerShell script (ConfigureExchangeHybridApplication.ps1) to switch from the vulnerable shared service principal to a dedicated one.

Agencies must complete these technical remediations by Monday morning and submit a compliance report to CISA by 5:00 PM the same day. CISA Acting Director Madhu Gottumukkala emphasized the widespread risk, urging all organizations, not just federal ones, to adopt these critical security measures to prevent potential hybrid environment compromise.

阅读中文版 (Read Chinese Version)

Disclaimer: This content is aggregated from public sources online. Please verify information independently. If you believe your rights have been infringed, contact us for removal.