CISA Issues Urgent Advisory Calling on Federal Agencies to Fix Exchange Server Flaw by Monday.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency advisory mandating all Federal Civilian Executive Branch agencies to urgently address a newly identified vulnerability in Microsoft Exchange, tracked as CVE-2025-53786, by 9:00 AM EDT on Monday, August 11, 2025. This vulnerability allows attackers with administrative access to an on-premises Exchange server to move laterally into connected Microsoft 365 cloud environments, potentially resulting in full domain compromise for affected hybrid deployments. Although Microsoft has reported no observed exploitation in the wild at the time of publication, both Microsoft and CISA have emphasised the severe risk this vulnerability poses to organisations using Exchange hybrid configurations. This is due to the historical sharing of the same service principal between Exchange Server and Exchange Online in Entra ID, which enables potential abuse without easily detectable audit trails. The vulnerability impacts Microsoft Exchange Server 2016, 2019, and the Subscription Edition in hybrid-joined deployments.

CISA’s directive outlines stringent timelines and specific actions that agencies must undertake. By 9:00 AM EDT on Monday, agencies are required to inventory and assess their Exchange environments using Microsoft’s Exchange Server Health Checker. They must identify current cumulative updates, determine eligibility for the April 2025 Hotfix Updates (HUs), and disconnect any end-of-life or ineligible servers. Agencies that operate or have ever operated Exchange in hybrid mode must update to the latest supported cumulative update (Exchange 2019 CU14 or CU15; Exchange 2016 CU23), apply the April 2025 HUs, validate their systems via the Health Checker, and monitor for known issues such as EdgeTransport.exe behaviour with Azure RMS. A critical mitigation strategy involves transitioning from the legacy shared service principal to Microsoft’s new dedicated Exchange hybrid application in Entra ID, utilising the ConfigureExchangeHybridApplication script with the appropriate Entra permissions. Microsoft initiated this transition with the April 2025 HUs as part of its Secure Future Initiative, which aims to separate Exchange Server and Exchange Online identities and prepare customers for a broader shift from Exchange Web Services (EWS) to Microsoft Graph API with granular permissions. Microsoft has cautioned that the use of the shared service principal will be blocked starting October 2025, with updates to the Graph permission model expected by October 2026. Temporary EWS enforcement blocks are set to begin this month to expedite adoption. CISA also recommends that organisations that previously configured a hybrid but no longer use it reset key credentials using Microsoft’s Service Principal Clean-Up Mode and run the Health Checker after making changes to ensure compliance. By 5:00 PM EDT on Monday, agencies must report their status to CISA using a provided template, with CISA pledging ongoing partner notifications, technical assistance, and a cross-agency status report by December 1, 2025. Security firms and media outlets have echoed the urgency of this advisory. Analysts have noted the critical nature of the situation.