ED 25-02: Mitigate Microsoft Exchange Vulnerability

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-02: Mitigate Microsoft Exchange Vulnerability.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Sections 2202(c)(3) and 2205(3) of the Homeland Security Act of 2002, as amended, delegate this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. §§ 652(c)(3), 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B). 

Background

CISA is aware of a post-authentication vulnerability (CVE-2025-53786) in Microsoft Exchange hybrid-joined configurations that allows an attacker to move laterally from on-premises Exchange to the M365 cloud environment. This vulnerability poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance and immediate mitigation is critical. Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment.

Required Actions

By 9:00 AM EDT on Monday, August 11, 2025, ALL agencies must:

1. Assess current Microsoft Exchange Environment
   1. Run the Microsoft-provided Exchange Server Health Checker script to inventory all Exchange Servers.
   2. Identify current Cumulative Update level (e.g., CU14, CU15 for Exchange 2019; CU23 for Exchange 2016).
   3. Determine if servers are eligible for the April 2025 Hotfix Updates (HUs).
   4. If your agency has ever run Microsoft Exchange in a hybrid configuration, Step 5.b below is required.
2. Disconnect End-of-Life Servers
   1. Disconnect all servers not eligible for the April 2025 Hotfix Updates (HUs), to include end-of-life Microsoft Exchange servers identified by the Exchange Server Health Checker script.

For agencies that implement Microsoft Exchange hybrid environments, perform the following actions by 9:00 AM EDT Monday, August 11, 2025, for all on-premises Exchange Servers not disconnected in Step 2: 

3. Update to Latest Cumulative Update (CU)
   1. Use the Exchange Update Wizard to plan your upgrade path.
   2. Install the latest CU supported by your environment:
      1. Exchange 2019: CU14 or CU15
      2. Exchange 2016: CU23
4. Apply April 2025 Hotfix Updates (HUs), Validate, and Monitor
   1. These HUs introduce support for the dedicated Exchange hybrid application in Entra ID.
   2. Ensure the update is applied to all hybrid Exchange Servers.
   3. Re-run the Health Checker script post-update.
   4. Monitor for known issues (e.g., EdgeTransport.exe behavior with Azure RMS).
   5. Use SetupAssist and repair tools if installation issues arise.
5. Transition to Dedicated Exchange Hybrid Application
   1. Replace the legacy shared service principal with the new dedicated hybrid app in Entra ID.

      1. Run .\ConfigureExchangeHybridApplication.ps1 

              -FullyConfigureExchangeHybridApplication

      2. Use an account that has Application Administrator role permissions in Entra ID (otherwise follow blog instructions for split configuration)
   2. Perform Credential Cleanup

      1. Run .\ConfigureExchangeHybridApplication.ps1 

              -ResetFirstPartyServicePrincipalKeyCredential

6. Prepare for Microsoft Graph API Transition
   1. EWS calls from Exchange Server to Exchange Online will be deprecated.
   2. Begin planning to switch to Microsoft Graph API for hybrid functionality.
   3. This change will be enforced starting October 2025, with further Graph permission model updates due by October 2026.

By 5:00 PM EDT on Monday, August 11, 2025, ALL agencies must:

7. Report to CISA using the CISA-provided template.

CISA Actions

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
4. By December 1, 2025, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Duration

This Emergency Directive remains in effect until CISA determines that all agencies with Microsoft Exchange hybrid environments have performed all required actions from this Directive or the Directive is terminated through other appropriate action.

Additional Information

In addition to the requirement to disconnect end-of-life Microsoft Exchange servers identified by the Exchange Server Health Checker script, CISA highly recommends that agencies disconnect the "Last Exchange Server", which remains after an agency has transitioned to M365 Exchange. Guidance for decommissioning Exchange servers – How and when to decommission your on-premises Exchange servers in a hybrid deployment | Microsoft Learn

Visit https://www.cisa.gov/news-events/directives or contact the following for:

• General information, assistance, and reporting – CyberDirectives@mail.cisa.dhs.gov
• Reporting indications of compromise – central@mail.cisa.dhs.gov