Upgraded advisory from CISA and Microsoft on security weakness in Exchange Server
In a joint effort to protect organizations using on-premises versions of Microsoft Exchange Server, the Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have updated their mitigation guidance for a high-severity flaw tracked as CVE-2025-53786.
Last week, Microsoft urged users of on-premises Exchange servers to download the April 2025 Exchange Server hotfix updates. Following this, CISA urged organizations to review Microsoft's updated guidance on identifying Exchange Servers on a network and running the Microsoft Exchange Health Checker.
The flaw could allow an attacker with administrative privileges for on-premises versions of Exchange to potentially escalate privileges. This concern arises from the fact that an attacker, in vulnerable hybrid joined configurations, could exploit the flaw to escalate privileges from an on-premises server to a connected cloud environment, leaving a minimal "easily detectable and auditable trace."
To address this issue, CISA recommends organizations first inventory all Exchange Servers on their networks using tools like NMAP or PowerShell scripts to identify potentially vulnerable servers. Microsoft initially released a non-security hotfix on April 18, 2025, that mitigates this issue in Exchange hybrid deployments. To be fully protected, organizations must apply this hotfix or a later cumulative update, such as the August 2025 Exchange Server Security Updates, which include fixes for CVE-2025-53786.
Microsoft advises applying the configuration guidance described in the article "Deploy dedicated Exchange hybrid app," which strengthens security in hybrid environments. For organizations that previously configured OAuth authentication between on-premises Exchange and Exchange Online but no longer use it, Microsoft recommends resetting the service principal's keyCredentials to revoke any lingering access tokens.
CISA updated its guidance on August 12, 2025, including clarification on identifying Exchange Servers using Microsoft Exchange Health Checker and other detection methods. No public proof-of-concept exploits or active exploitation have been reported yet, but the risk is severe enough to warrant immediate mitigation.
In summary, organizations should urgently:
- Inventory all Exchange Servers on their networks.
- Apply the April 2025 hotfix or the August 2025 cumulative Exchange Server updates.
- Follow Microsoft’s hybrid Exchange configuration best practices, including deploying a dedicated hybrid app.
- Reset OAuth service principal credentials if no longer actively using that configuration.
- Monitor for further guidance from Microsoft and CISA as the situation evolves.
This combined guidance aims to prevent privilege escalation attacks that could compromise both on-premises and Exchange Online identities and services. The focus of the discussion is on the evolving role of CISOs, specifically their role in understanding and mitigating risks in technology stacks. At this time, there is no evidence of hackers exploiting the flaw, as stated by CISA in their update on Tuesday. However, corporate stakeholders are seeking a better understanding of their technology stack's risk calculus, specifically questioning if they are a potential target.
- In light of the high-severity vulnerability in the cybersecurity industry, CISA and Microsoft have updated their mitigation guidance for CVE-2025-53786, a flaw in on-premises versions of Microsoft Exchange Server.
- Last week, Microsoft urged users of on-premises Exchange servers to download the April 2025 Exchange Server hotfix updates, and CISA urged organizations to review Microsoft's updated guidance on identifying Exchange Servers.
- To address this vulnerability, CISA recommends organizations first inventory all Exchange Servers on their networks and then apply the hotfix or a later cumulative update that includes fixes for CVE-2025-53786.
- In the finance sector, corporate stakeholders are seeking a better understanding of their data-and-cloud-computing technology stack's risk calculus, specifically questioning if they are potential targets due to the potential of privilege escalation attacks that could compromise both on-premises and Exchange Online identities and services.
