Governance & Risk Management
,
Legacy Infrastructure Security
CISA Issues Emergency Directive Requiring Federal Agencies to Fix Flaw
A vulnerability in Exchange hybrid deployments could allow attackers to escalate privileges and gain administrative access to cloud-based environments.
The vulnerability, tracked as CVE-2025-53786, allows attackers to read, exfiltrate and delete emails from any mailbox within the organization. They could auto-forward emails to external accounts. A hacker would already need administrative access to an on-premise Exchange server for the attack to be successful. The flaw rates 8.0 on the CVSS scale.
Microsoft said Tuesday there is no evidence of its exploitation and “strongly” recommended installing hot fix updates made available in April and following updated configuration guidance for hybrid deployments.
The U.S. Cybersecurity and Infrastructure Security Agency used its emergency directive authority Thursday to direct federal agencies to immediately implement Microsoft’s mitigation guidance. The missive says CISA is also not aware of any active exploitation.
Exchange servers are a recurring target for nation-state hackers, including Chinese hackers now tracked as Silk Typhoon who in 2021 used four zero-day vulnerabilities known as the ProxyLogon flaw in a global cyberespionage operation that swept up governments, military contractors and universities (see: US: Chinese Government Waged Microsoft Exchange Attacks).
Some organizations – particularly those that carry a legacy of previously separate email systems – use a combination of locally-managed Exchange servers with an Exchange Online cloud backend to obtain features such as a unified global address lists, shared calendars and a shared domain namespace. Exploitation of CVE-2025-53786 takes advantage of a shared service principal object used to authenticate the communication between the on-premise server and the cloud. Hackers with administrative access to the on-premise server could send fake tokens or API calls to the cloud to commander inboxes.
The vulnerability is concerning because hackers wouldn’t leave auditable traces, said Stephen Fewer, senior principal researcher at Rapid7. “This vulnerability turns a serious on-premises Exchange breach into a full-scale, hard-to-detect cloud compromise – leveraging living-off-the-land techniques that are notoriously difficult for defenders to spot.”
Changes announced by Microsoft in April are meant to replace the shared service principal object with a more secure substitute that will become mandatory on October 31. The computing giant complained Wednesday that customer migration to the new, dedicated Exchange hybrid app has been low. It said it would deliberately introduce “brief disruptions” to Exchange web services traffic using the shared service principal “to speed up customer adoption.” The first disruption is set to last two days and begin on Aug. 19.
Jeff Williams, co-founder & CTO of Contrast Security, told Information Security Media Group that danger of the vulnerability has been exaggerated, since it requires hackers to already have gained administrative access to an on-premise server. “This isn’t the end of the world, it’s a clean-up your permissions thing,” he said.
Hybrid deployment of Exchange is exceedingly complex, he also said. “My advice would be try to get off of on-premise Exchange. It’s way too complicated for most organizations to run. I’ve heard it said that the only organization that should run Exchange on-premise is Microsoft.”