Blog

Introduction

The Cybersecurity and Infrastructure Security Agency’s (CISA) Emergency Directive 25-02 has been issued to address a critical post-authentication vulnerability (CVE-2025-53786) affecting Microsoft Exchange hybrid-joined configurations. This directive requires immediate action from federal agencies to prevent lateral movement attacks from on-premises Exchange servers to the Microsoft 365 (M365) cloud environment. The urgency and mandatory compliance mean that all agencies must complete the outlined actions by August 11, 2025, as failing to do so, could expose sensitive information to malicious actors.

Background

CISA is alerting agencies about a vulnerability that allows an attacker with administrative access to the on-premises Exchange server to move laterally into the M365 cloud environment. The vulnerability is particularly severe for hybrid configurations that have not yet applied April 2025 patch guidance. Hence, the need for immediate mitigation is highlighted.

Required Actions

Agencies are required to follow this schedule:

By 9:00 AM EDT on Monday, August 11, 2025:

1. Assess Current Microsoft Exchange Environment
   • Utilize the Microsoft Exchange Server Health Checker script to uncover all Exchange Servers.
   • Ensure that all servers are running the latest compatible Cumulative Update (CU).
   • Confirm eligibility for the April 2025 Hotfix Updates (HUs).
   • For hybrid configurations, proceed with steps 3 and 4.
2. Disconnect End-of-Life Servers
   • Decommission any Exchange servers that are not eligible for the April 2025 Hotfix Updates.

For Hybrid Environments:

3. Update to Latest Cumulative Update (CU)
   • Use the Exchange Update Wizard to strategize your upgrade.
   • Install the latest CU supported by your environment (CU14/15 for Exchange 2019 or CU23 for Exchange 2016).
4. Apply April 2025 Hotfix Updates (HUs), Validate, and Monitor
   • Deploy the dedicated Microsoft Exchange hybrid application in Entra ID with the HUs.
   • Re-validate post updates with the Health Checker script.
   • Monitor for known updates and address any installation issues with SetupAssist and repair tools.
5. Transition to Dedicated Exchange Hybrid Application
   • Switch from the shared service principal to the dedicated hybrid application using the ConfigureExchangeHybridApplication.ps1 script.
   • Perform a credential reset with ResetFirstPartyServicePrincipalKeyCredential.
6. Prepare for Microsoft Graph API Transition
   • Begin the planning phase for retiring EWS in favor of Microsoft Graph API for hybrid functionalities.
   • Be aware of the transition deadlines set for October 2025 and October 2026.

By 5:00 PM EDT on Monday, August 11, 2025:

7. Report to CISA
   • Submit your agency's actions utilizing the CISA-provided reporting template.

CISA Actions

• CISA will assist agencies lacking the internal capacity to comply with the Directive.
• By December 1, 2025, a status report detailing cross-agency progress and issues will be sent to senior officials.

Duration

The directive's effectiveness extends until CISA deems all agencies compliant, or it is terminated through alternative action.

Additional Information

• Decommission any "Last Exchange Server" after transitioning to M365 Exchange. Follow Microsoft's guidance on how and when to decommission on-premises Exchange in hybrid deployment.

References

• Emergency Directive 25-02: Official CISA directive text
• Microsoft Exchange Server Health Checker script: Microsoft's resource to assess Exchange configurations
• How to Decommission Your Last Exchange Server in a Hybrid Deployment: Microsoft Learn resource
• CISA-provided reporting template: To be distributed by CISA to agencies for compliance tracking

Conclusion

Time is of the essence as agencies must rapidly act to mitigate this vulnerability to maintain the security and integrity of their hybrid Microsoft Exchange environments. Following these comprehensive directives will ensure protection against potential attacks stemming from this significant risk factor.