CISA, Microsoft issue alerts on ‘high-severity’ Exchange vulnerability

Customers of Microsoft are being warned of a new vulnerability impacting on-premise Exchange servers.

The Cybersecurity and Infrastructure Security Agency (CISA) released an urgent warning on Wednesday evening about CVE-2025-53786 — a bug that would allow hackers with administrative access to on-premise Microsoft Exchange servers to escalate their privileges and take further malicious actions. 

Entities should disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet, according to CISA. 

CISA cited SharePoint Server 2013 and earlier versions as examples of end-of-life technology that should be discontinued if still in use. 

Microsoft said it had not seen exploitation of the bug as of Wednesday, but CISA warned that if the vulnerability is not addressed it “could impact the identity integrity of an organization’s Exchange Online service.”

“CISA issued an alert tonight on a high-severity vulnerability we are actively monitoring and mitigating with on-premise Microsoft Exchange server that was disclosed today,” said CISA’s acting executive assistant director, Chris Butera. 

“As with all high-severity threats and vulnerabilities, we immediately began working with Microsoft and our government and industry partners to assess the scope and impact. All organizations are strongly encouraged to implement Microsoft guidance to reduce risk.”

Microsoft Exchange is one of the company’s most popular products, allowing organizations to offer employees access to email, calendar and collaboration platforms.  

A spokesperson for the company credited Dirk-Jan Mollema from Netherlands-based Outsider Security for discovering the vulnerability and reporting it. 

Microsoft officials argued that an attacker “would need to have obtained a highly privileged role to an on-premises server to attempt” exploitation of the bug.

CISA also issued an emergency directive ordering all federal civilian agencies to assess their current Microsoft Exchange environment, install the necessary updates and disconnect all end-of-life servers by Monday. The agency said it will send a report to the White House and Department of Homeland Security about the incident by December 1.

‘Hot Fix’ was available

The CISA alert links to a Microsoft blog post that explains recent changes to how Exchange servers are deployed in organizations.

Buried deep in the document is a brief mention of CVE-2025-53786 and a link to a page with more information on the vulnerability. In it, Microsoft explained that on April 18, it announced changes to how customers interact with Exchange Servers that were made “in the general interest of improving the security of hybrid Exchange deployments.”

“Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement,” the tech giant said. 

“Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment.”

Microsoft’s spokesperson added that the April push to change how customers interact with Exchange Servers was part of the wider Secure Future Initiative — an effort started in the wake of another high-profile Microsoft Exchange-related email breach involving the U.S. Commerce Secretary and Congressman Don Bacon.

CISA said organizations need to implement Microsoft’s guidance or “risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.”

Microsoft Exchange has in the past been heavily targeted by both nation-state actors and cybercriminals because it offers easy access to troves of emails, calendars and more. 

A 2021 campaign by China-based actors against Microsoft Exchange servers saw hundreds of organizations impacted