Emergency directive demands fixes for CVE-2025-53786 in hybrid Exchange setups to prevent lateral cloud compromise and tenant takeover
Federal civilian agencies have been told to treat a newly disclosed Exchange hybrid vulnerability as an immediate emergency. CISA’s Emergency Directive 25-02 requires all Federal Civilian Executive Branch (FCEB) agencies to complete technical mitigations for CVE-2025-53786 by 9:00 AM ET on Monday, and to file a compliance report the same day by 5:00 PM.
The flaw affects Microsoft Exchange Server 2016, Exchange Server 2019 and the Subscription Edition when deployed in hybrid configurations. In those setups, on-premises Exchange and Exchange Online share a service principal. An attacker with administrative access to an on-prem Exchange server can abuse that shared trust to forge tokens or API calls and move laterally into Microsoft cloud services — potentially yielding full tenant compromise.
What the Exchange hybrid vulnerability does and who is at risk
Explains how on-prem admin access can lead to cloud takeover, and why hybrid architectures matter
The vulnerability is a post-exploitation path: an adversary first needs admin privileges on an on-prem Exchange server. From there, the attacker can manipulate the shared hybrid service principal to issue cloud-trusted calls. Microsoft warned that some cloud-side telemetry — including Purview logging — may not show suspicious activity if it originates from the on-prem Exchange side, complicating detection.
Microsoft and CISA stress this is especially dangerous in environments that still use the older shared hybrid application. The April 2025 guidance and hotfix introduced a safer model using a dedicated hybrid application and a dedicated service principal. Organizations that applied those measures earlier are already protected against this attack path.
CISA’s mandated steps and the Monday deadline
CISA’s directive requires agencies to:
- Inventory Exchange deployments using Microsoft’s Health Checker script.
- Disconnect unsupported or end-of-life Exchange servers not covered by April mitigations.
- Update remaining servers to the latest cumulative updates (CU14/CU15 for Exchange 2019; CU23 for Exchange 2016).
- Apply the April hotfix that supports the dedicated hybrid app architecture.
- Run Microsoft’s
ConfigureExchangeHybridApplication.ps1script to migrate to a dedicated service principal in Entra ID.
Agencies must finish technical remediation by 9:00 AM ET Monday and submit a written report to CISA by 5:00 PM ET that day.
Researcher disclosure and Microsoft coordination
How the issue came to light and why some systems are already safe
Security researcher Dirk-Jan Mollema of Outsider Security demonstrated the attack at Black Hat. He told vendors he discovered the issue weeks earlier and coordinated disclosure with Microsoft. Mollema described the problem as a protocol design gap that lacks important security controls.
“Aside from this guidance Microsoft also mitigated an attack path that could lead to full tenant compromise (Global Admin) from on-prem Exchange,” Mollema said.
Microsoft issued the CVE and mitigation guidance alongside the presentation. Customers that implemented the April fixes and followed Microsoft’s migration steps are not vulnerable to the exploitation method described.
Why this matters beyond federal systems
CISA urges private sector organizations to treat the advisory as urgent business
The emergency directive legally binds federal civilian agencies only. Still, CISA made clear the risk crosses sectors. “The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment,” Acting Director Madhu Gottumukkala said. CISA strongly urged all organizations to adopt the same mitigations immediately.
Detection challenges and practical notes from vendors
What defenders should expect when hunting for post-exploit activity
Because the attack leverages valid hybrid tokens and trusted service principals, traditional cloud alerts may miss it. Microsoft advised that applying only the hotfix is not enough: administrators must perform the manual migration to a dedicated hybrid application. CISA’s inventory step is intended to help agencies find unmitigated servers quickly.
Timeline and final points of record
Key dates and context
- Researcher disclosure and coordination with Microsoft: three weeks before Black Hat.
- Microsoft issued guidance and the CVE after coordinated disclosure.
- CISA Emergency Directive 25-02 sets the Monday 9:00 AM ET remediation deadline and the 5:00 PM ET reporting deadline.
