CISA Issues Emergency Directive: Patch Critical Microsoft Exchange Flaw by August 11 or Risk Cloud Compromise

CISA Issues Emergency Directive: Patch Critical Microsoft Exchange Flaw by August 11 or Risk Cloud Compromise

CISA Issues Emergency Directive: Patch Critical Microsoft Exchange Flaw by August 11 or Risk Cloud Compromise

CISA Issues Emergency Directive: Patch Critical Microsoft Exchange Flaw by August 11 or Risk Cloud Compromise
Image from The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent emergency directive (ED 25-02) on August 7, 2025, mandating that Federal Civilian Executive Branch (FCEB) agencies immediately address a high-severity security flaw in Microsoft Exchange Server. Agencies operating Microsoft Exchange hybrid environments must implement required mitigations by 9 a.m. EDT on Monday, August 11, 2025, to prevent potential compromise of their cloud environments.

The vulnerability, tracked as CVE-2025-53786 with a CVSS score of 8.0, affects on-premise versions of Exchange Server. Microsoft previously disclosed this flaw, acknowledging Dirk-jan Mollema of Outsider Security for its discovery. The critical risk arises in hybrid deployments where an attacker, having gained administrative access to an on-premises Exchange server, could escalate privileges within the organization’s connected Microsoft 365 cloud environment, including Exchange Online and SharePoint, without leaving easily detectable traces. This is due to the shared service principal between Exchange Server and Exchange Online in hybrid configurations.

CISA emphasizes that this vulnerability poses a significant risk to organizations that have not yet applied the April 2025 patch guidance. Successful exploitation could allow attackers to impersonate any hybrid user within the tenant for 24 hours and gain unfettered access to cloud services, bypassing traditional security checks.

As immediate mitigations, CISA and Microsoft urge customers to review Exchange Server security changes for hybrid deployments, install the April 2025 Hot Fix (or newer), and follow specific configuration instructions, including resetting service principal keyCredentials if hybrid or OAuth authentication is no longer used. Microsoft also plans to enforce mandatory separation of Exchange on-premises and Exchange Online service principals by October 2025 and has begun temporarily blocking Exchange Web Services (EWS) traffic using the shared service principal this month to encourage adoption of a dedicated hybrid app.

The directive comes amidst broader concerns, as CISA also highlighted the exploitation of recently disclosed SharePoint flaws (ToolShell) and reiterated the importance of disconnecting public-facing, end-of-life Exchange and SharePoint servers from the internet. The August 11 deadline underscores the extreme urgency for federal agencies to secure their hybrid Exchange deployments against this critical threat.

阅读中文版 (Read Chinese Version)

Disclaimer: This content is aggregated from public sources online. Please verify information independently. If you believe your rights have been infringed, contact us for removal.