CISA is aware of a post-authentication vulnerability (CVE-2025-53786) in Microsoft Exchange hybrid-joined configurations that allows an attacker to move laterally from on-premises Exchange to the M365 cloud environment. This vulnerability poses grave risk to all organizations. 

Background

CISA is aware of a post-authentication vulnerability (CVE-2025-53786) in Microsoft Exchange hybrid-joined configurations that allows an attacker to move laterally from on-premises Exchange to the M365 cloud environment. This vulnerability poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance and immediate mitigation is critical. Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment.

Required Actions:

By 9:00 AM EDT on Monday, August 11, 2025, ALL agencies must:

1. Assess current Microsoft Exchange Environment

a. Run the Microsoft-provided Exchange Server Health Checker script to inventory all Exchange Servers.

b. Identify current Cumulative Update level (e.g., CU14, CU15 for Exchange 2019; CU23 for Exchange 2016).

c. Determine if servers are eligible for the April 2025 Hotfix Updates (HUs)

d. If your agency has ever run Microsoft Exchange in a hybrid configuration, Step 5.b below is required.

2. Disconnect End-of-Life Servers

a. Disconnect all servers not eligible for the April 2025 Hotfix Updates (HUs), to include end-of-life Microsoft Exchange servers identified by the Exchange Server Health Checker script.

For agencies that implement Microsoft Exchange hybrid environments, perform the following actions by 9:00 AM EDT Monday, August 11, 2025, for all on-premises Exchange Servers not disconnected in Step 2: 

3. Update to Latest Cumulative Update (CU)

a. Use the Exchange Update Wizard to plan your upgrade path.

b. Install the latest CU supported by your environment:

i. Exchange 2019: CU14 or CU15

ii. Exchange 2016: CU23

4. Apply April 2025 Hotfix Updates (HUs), Validate, and Monitor

a. These HUs introduce support for the dedicated Exchange hybrid application in Entra ID.

b. Ensure the update is applied to all hybrid Exchange Servers.

c. Re-run the Health Checker script post-update.

d. Monitor for known issues (e.g., EdgeTransport.exe behavior with Azure RMS).

e. Use SetupAssist and repair tools if installation issues arise.

5. Transition to Dedicated Exchange Hybrid Application

a. Replace the legacy shared service principal with the new dedicated hybrid app in Entra ID.

i. Run .\ConfigureExchangeHybridApplication.ps1 

     -FullyConfigureExchangeHybridApplication

ii. Use an account that has Application Administrator role permissions in Entra ID (otherwise follow blog instructions for split configuration)

b. Perform Credential Cleanup

i.  Run .\ConfigureExchangeHybridApplication.ps1 

     -ResetFirstPartyServicePrincipalKeyCredential

6. Prepare for Microsoft Graph API Transition

a. EWS calls from Exchange Server to Exchange Online will be deprecated.

b. Begin planning to switch to Microsoft Graph API for hybrid functionality.

c. This change will be enforced starting October 2025, with further Graph permission model updates due by October 2026.

By 5:00 PM EDT on Monday, August 11, 2025, ALL agencies must:

7. Report to CISA using the CISA-provided template.

CISA Actions:

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.

2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.

3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.

4. By December 1, 2025, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Article Information:

In addition to the requirement to disconnect end-of-life Microsoft Exchange servers identified by the Exchange Server Health Checker script, CISA highly recommends that agencies disconnect the "Last Exchange Server", which remains after an agency has transitioned to M365 Exchange. Guidance for decommissioning Exchange servers – How and when to decommission your on-premises Exchange servers in a hybrid deployment | Microsoft Learn

Release Date: 07-August-2025

Source: U.S. CISA - https://www.cisa.gov/news-events/directives/ed-25-02-mitigate-microsoft-exchange-vulnerability