CISA Issues Emergency Directive Warning Of Hybrid Microsoft Exchange Vulnerability

CISA and Microsoft have released new guidance related to a high-severity vulnerability (CVE-2025-53786) that could impact the "identity integrity of an Exchange Online deployment."

Published on Aug 14, 2025

Written by Joel Witts

Share

A 55-year-old man has been sentenced to four years in prison and three years of suspended release after being convicted of installing ‘kill switch’ malicious code on his former employer’s computer network.

The US Cybersecurity and Infrasturcture Security Agency (CISA) has released an alert warning organizations of a vulnerability that could lead to “”hybrid cloud and on-premises total domain compromise.”

The vulnerability, tracked as CVE-2025-53786, has been assigned a score of 8.0 and ranked as “High” severity.

Products affected include Microsoft Exchange Server Subscription Edition RTM, Microsoft Exchange Server 2019 Cumulative Update 15, Microsoft Exchange Server 2016 Cumulative Update 23, and Microsoft Exchange Server 2019 Cumulative Update 14.

The vulnerability affects Microsoft Exchange hybrid-joined configurations and would allow attackers that have already successfully authenticated as an admin in Microsoft Exchange to move laterally to a M365 cloud environment and escalate privileges by exploiting vulnerable hybrid-joined configurations.

Essentially, this means threat actors can exploit shared identities for authenticating between cloud and on-premises Exchange environments to take over online Exchange environments. As BleepingComputer reports, this attack cannot be detected by cloud-based permission monitoring apps as they do not always scan on-premises deployments.

The flaw is known as a “post-authentication” vulnerability, as it requires the threat actor to already have authenticated access to the on-premises Exchange server.

In a blog post, CISA says it is “deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment.”

Infosecurity Magazine reports that over 29,000 Microsoft Exchange servers are currently vulnerable and unpatched.

Remediation Guidance

Microsoft released an update that fixes this vulnerability back in April as part of their Secure Future Initiative. This involves deploying a dedicated Exchange hybrid app that makes environments more secure. You can view the original announcement here.

This week, Microsoft released a new batch of updates and guidance, which are detailed in a blog post They announced they will be “temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service.”

Microsoft also released an updated Hybrid Configuration Wizard to help speed up adoption of the Exchange hybrid app.

Microsoft said: “We strongly recommend transitioning to the dedicated Exchange Hybrid app as soon as possible and following the guidance provided in Exchange Server Security Changes for Hybrid Deployments blog post.”

In its advisory, CISA said: “CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.

Organizations should first inventory all Exchange Servers on their networks (organizations should leverage existing visibility tools or publicly available tools, such as NMAP or PowerShell scripts, to accomplish this task).
If using Exchange hybrid, review Microsoft’s guidance Exchange Server Security Changes for Hybrid Deployments to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU).
Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and follow Microsoft’s configuration instructions Deploy dedicated Exchange hybrid app.
For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft’s Service Principal Clean-Up Mode for guidance on resetting the service principal’s key Credentials.
Upon completion, run the Microsoft Exchange Health Checker with appropriate permissions to identify the CU level of each Exchange Server identified and to determine if further steps are required.”

CISA ordered all federal civilian agencies to remediate the vulnerabilities and follow their guidance by no later than Monday, 11 August. You can view the full list of required actions here.

Read More On This Topic:

Explore More

Best 10 Microsoft 365 Backup and Recovery Solutions For Business (2026)

We reviewed the leading M365 backup platforms on workload coverage, recovery granularity, and how well they handle eDiscovery requests alongside standard data restoration. Native M365 tooling does not replace what these platforms deliver.

Caitlin Harris, Craig MacAlpine Last updated on May 13, 2026

Read Now

Written By

Joel Witts Content Director

Joel is the Director of Content and a co-founder at Expert Insights; a rapidly growing media company focussed on covering cybersecurity solutions.

He’s an experienced journalist and editor with 8 years’ experience covering the cybersecurity space. He’s reviewed hundreds of cybersecurity solutions, interviewed hundreds of industry experts and produced dozens of industry reports read by thousands of CISOs and security professionals in topics like IAM, MFA, zero trust, email security, DevSecOps and more.

He also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted. Joel is driven to share his team’s expertise with cybersecurity leaders to help them create more secure business foundations.