The Cybersecurity and Infrastructure Security Agency (CISA) today ordered Federal government agencies to take mitigation steps to deal with a Microsoft Exchange Vulnerability that the agency warned about on Wednesday night, and to finish that work by 9 a.m. Eastern time on Monday, Aug. 11.

CISA’s initial alert issued on Wednesday warned of a “high-severity vulnerability we are actively monitoring and mitigating with on-premise Microsoft Exchange server” that came to light earlier in the day.

“As with all high-severity threats and vulnerabilities, we immediately began working with Microsoft and our government and industry partners to assess the scope and impact,” CISA said.

The cybersecurity agency said it was “strongly” encouraging all organizations “to implement Microsoft guidance to reduce risk.”

In a follow-up alert and emergency directive on Thursday afternoon, CISA instructed Federal agencies to take a series of mitigation steps by Monday morning.

Those required steps include: assessing their current Microsoft Exchange environment, disconnecting end-of-life servers, and updating to Latest Cumulative Update in the case of agencies that operate Microsoft Exchange hybrid environments, among others.

The full list of instructions is contained in CISA’s emergency directive issued today.

In addition to the deadline of Monday morning at 9 a.m. Eastern time, CISA said all agencies must report back to the agency by 9 p.m. Eastern time on Monday, Aug. 11 using a template provided by CISA in its emergency directive.

For its own part, CISA said it will “continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate,” and will “provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.”

The agency also said it will report on the situation by Dec.1 to the secretary of the Department of Homeland Security, the national cyber director, the director of the Office of Management and Budget, and the Federal chief information security officer “identifying cross-agency status and outstanding issues.”

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend,” said CISA Acting Director Madhu Gottumukkala in announcing the emergency directive.

“The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment,” Gottumukkala said, adding, “While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive.”

In its initial alert issued on Wednesday, CISA explained the CVE-2025-53786 vulnerability and said it allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations.”

“This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service,” the agency said.

According to CISA, “Microsoft has stated there is no observed exploitation as of the time of this alert’s publication.”

However, the agency said it “strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance … or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.”

CISA directed organizations to review Microsoft’s own Aug. 6 alert about the problem for additional guidance and to implement mitigation steps.

This story has been updated following the issuance of the emergency directive.

Read More About
About
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.
Tags