Federal cyber authorities and Microsoft have issued warnings about a high-severity vulnerability affecting on-premises Microsoft Exchange servers, which could allow attackers to gain control of connected cloud-based environments. The vulnerability, identified as CVE-2025-53786, affects Entra ID, an identity and access management service, and was publicly disclosed at the Black Hat conference.
Microsoft said exploitation requires administrative access to an on-premises Exchange server in a hybrid environment, but attackers can escalate privileges in connected cloud environments due to shared permissions. The company has already addressed the vulnerability with hot fix updates in April, but warned that organizations must apply these updates and implement configuration changes to prevent exploitation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to run a script to check for vulnerabilities, update eligible servers, and disconnect end-of-life Exchange servers by Monday. CISA described the vulnerability as “grave” and urged organizations to act quickly to mitigate the risk.
Microsoft plans to temporarily block Exchange Web Services traffic using shared service principals starting later this month, with permanent blocking expected by the end of October. The company aims to accelerate adoption of its dedicated Exchange hybrid app, but noted that only a small number of customers have created the app so far.
Organizations are advised to disconnect internet-exposed and end-of-life versions of Exchange Server and SharePoint Server. This follows recent security alerts about a mass attack spree linked to a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers, which impacted over 400 organizations, including multiple government agencies.
Source: https://cyberscoop.com/cisa-microsoft-exchange-vulnerability