The CISA has issued an emergency instructions, ordering all the federal civil executive wing (FCEB) agencies, which reduces an important Microsoft Exchange hybrid vulnerability tracked as Cve-2015-53786 on Monday morning as cve-2015-53786.
Federal Civil Executive Branch (FCEB) agencies are non-synaging agencies within the US Executive Branch, including Homeland Security Department, Treasury Department, Energy Department and Health and Human Services Department.
Tracked Cve-2025-53786 The attackers allow the administrative access to the on-primesies exchange servers, which later lead to domain compromises to move to the Microsoft Cloud Environment, possibly domain compromises.
The vulnerability affects the Microsoft Exchange Server 2016, 2019 and membership version.
In hybrid configurations, the exchange online and on-arrogance servers share the same service principal, which is a common trust relationship that is used to certify with each other.
An attacker with administrative privileges on the on-radius exchange server can potentially manipulate or manipulate the cloud side as valid or manipulating an API call. The technique allows the attackers to spread later to the company’s cloud environment from the local network, which potentially compromises the company’s complete active directory and infrastructure.
To make cases worse, Microsoft says that cloud-based logging tools such as Microsoft Purview can not log to malicious activity if it arises from an on-inspirational exchange, it becomes difficult to detect exploitation.
This defect comes after microsoft Guidance issued And one Exchange server hotfix To support a new architecture in April 2025 that uses a dedicated hybrid application, instead shared as part of its safe future initiative.
Tomorrow, security researchers Dirk-jan molema External security displayed how this shared service principal can be attacked during the post -exploitation attack Black hat presentation,
The researcher told Bleepingcomputer that he reported the blame three weeks before the matter to give Microsoft advance warning. In coordination with the presentation, Microsoft issued CVE-2025-53786 CVE and guidance how to reduce it.
“I originally did not consider it a vulnerability because the protocols used for these attacks were designed with the features covered during the talk, and simply lacks significant security controls in general,” Molema told Blapping Computer.
“The report, describing the possibilities for the attackers, was sent as heads up to MSRC 3 weeks before the Black Hat and the disclosure was coordinated with them. Apart from this guidance, Microsoft also reduced the path of an attack, which could lead to full tenant compromise (global administrator).
The good news is that Microsoft Exchange Customers had previously implemented Hotfix and April guidance is already protected from this new post-exploitation attack.
However, those who have not implemented mitigations, are still impressed and should install hotfix and follow Microsoft’s instructions (Doctor 1 And Doctor 2) On deployment of dedicated exchange hybrid app.
“Applying only hotfix is not enough in this case, a dedicated service principal has manual follow-up actions required to migrate,” Molema explained.
“From the point of view of safety, urgency depends on how much attention it is important to pay on the separation of on-primesies resources and the separation between the cloud-hosting resources. In the old setup, the exchange hybrid has complete access to all resources online and in the exchange in Sharepoint.”
Molema also reiterated that his technology is a post-exploitation attack, which means that an attacker already has to compromise on-dimases environment or exchange server, and in this case, administrators are privileges.
According to Sisa Emergency instructions 25-02Federal agencies should now reduce the first attack using a list of their exchange environment Microsoft’s Health Checker ScriptAny server that is no longer supported by April 2025 Hotfix, such as an end-of-life exchange version, must be disconnected.
All remaining servers should be updated for the latest cumulative updates (CU14 or CU15 for Exchange 2019, and CU23 for Exchange 2016) and patch with April Hotfix. Later, administrators should visit Microsoft Configure Powershell script to switch from the dedicated service principal dedicated in the Entra ID.
CISA warns that failing to implement these mitigations can lead to a complete compromise in the hybrid environment.
Agencies will have to complete technical therapeutic stages by Monday morning and CISA should submit a report by 5:00 pm on the same day.
While non-governmental organizations do not need to take action under this instruction, CISA urged all organizations to reduce the attack.
“The risks associated with this Microsoft Exchange extend to every organization and region using this environment,” said Madhu Gotumukla, acting director of CISA.
“While federal agencies are made mandatory, we strongly urge all organizations to adopt tasks in this emergency instruction.”
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
