CISA directs companies to mitigate ‘high-severity’ Microsoft vulnerability

CISA directs companies to mitigate ‘high-severity’ Microsoft vulnerability

CISA is giving companies till 9 a.m. Monday to deal with a vulnerability that, left unaddressed, may permit hackers to attain “total domain compromise.”

Justin Doubleday@jdoubledayWFED

August 7, 2025 2:05 pm

3 min learn

The Cybersecurity and Infrastructure Security Agency is giving companies by way of the weekend to patch a vital vulnerability in hybrid configurations of Microsoft’s extensively used Exchange product.

In an emergency directive issued early Thursday afternoon, CISA is giving companies till 9 a.m. on Monday, Aug. 11, to mitigate the Microsoft Exchange vulnerability. CISA mentioned it was not conscious of energetic exploitation of the vulnerability, however that it may “severely impact an organization’s identity integrity and administrative access across cloud-connected services” if left unaddressed.

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend,” CISA Acting Director Madhu Gottumukkala mentioned as a part of an announcement. “The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment. While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive.”

CISA mentioned the vulnerability “poses a grave risk” to organizations working Exchange hybrid-joined configurations that haven’t but adopted patch guidance launched by Microsoft in April.

“Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment,” the company wrote in its alert.

Under the directive, companies are required to evaluate their Microsoft Exchange setting and disconnect any end-of-life servers that weren’t eligible for an April 2025 replace.

Agencies that keep on-premises Exchange servers are required to carry out a lot of further mitigations by Monday morning.

In a separate advisory issued Wednesday night, CISA mentioned the “high-severity vulnerability” may permit a hacker to take advantage of weak hybrid configurations. Left unaddressed, the exploit may permit hackers to attain “total domain compromise,” CISA wrote.

Microsoft mentioned it had not noticed any exploitation of the vulnerability, however urged organizations with implicated environments to right away apply mitigations.

Black Hat connections

Microsoft mentioned it found the extreme vulnerability as a part of the overall Exchange hybrid modifications launched in April.

“Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement,” Microsoft wrote in a vulnerability abstract.

At the Black Hat cybersecurity convention in Las Vegas, Nev., on Wednesday, unbiased safety researcher Dirk-jan Mollema demonstrated the exploit. He mentioned he was capable of introduce a number of new lateral motion methods, permitting him to bypass authentication and “stealthily exfiltrate data” utilizing on-premises Active Directory as a place to begin.

Microsoft bugs

The Exchange vulnerability is the newest to hit Microsoft services which are extensively relied upon by federal companies and organizations the world over.

In July, hackers started exploiting a beforehand unknown “zero day” vulnerability in Microsoft’s SharePoint software program. CISA gave companies a decent deadline to mitigate that vulnerability as effectively.

Nevertheless, a number of federal companies had been reportedly hacked on account of the SharePoint exploit.

Some cybersecurity specialists have criticized Microsoft for lax cybersecurity practices and known as on the federal government to scale back its reliance on the tech big.

In 2024, the Cyber Safety Review Board — which was disbanded by the Trump administration earlier this yr — launched a extremely vital report on Microsoft’s cloud safety practices. Following the report, the corporate accepted accountability for the findings and dedicated to creating safety enhancements.

Copyright
© 2025 Federal News Network. All rights reserved. This web site is just not meant for customers positioned inside the European Economic Area.