Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
  4. ED 25-02: Mitigate Microsoft Exchange Vulnerability
Share:

News & Events

  • News
  • Events
  • Cybersecurity Alerts & Advisories
  • Directives
  • Request a CISA Speaker
  • Congressional Testimony
  • CISA Conferences
  • CISA Live!
Emergency Directives

ED 25-02: Mitigate Microsoft Exchange Vulnerability

August 07, 2025
Related topics:
Cybersecurity Best Practices
Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-02: Mitigate Microsoft Exchange Vulnerability.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Sections 2202(c)(3) and 2205(3) of the Homeland Security Act of 2002, as amended, delegate this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. §§ 652(c)(3), 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B). 

Background

CISA is aware of a post-authentication vulnerability (CVE-2025-53786) in Microsoft Exchange hybrid-joined configurations that allows an attacker to move laterally from on-premises Exchange to the M365 cloud environment. This vulnerability poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance and immediate mitigation is critical. Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment.

Required Actions

By 9:00 AM EDT on Monday, August 11, 2025, ALL agencies must:

  1. Assess current Microsoft Exchange Environment
    1. Run the Microsoft-provided Exchange Server Health Checker script to inventory all Exchange Servers.
    2. Identify current Cumulative Update level (e.g., CU14, CU15 for Exchange 2019; CU23 for Exchange 2016).
    3. Determine if servers are eligible for the April 2025 Hotfix Updates (HUs).
    4. If your agency has ever run Microsoft Exchange in a hybrid configuration, Step 5.b below is required.
  2. Disconnect End-of-Life Servers
    1. Disconnect all servers not eligible for the April 2025 Hotfix Updates (HUs), to include end-of-life Microsoft Exchange servers identified by the Exchange Server Health Checker script.

For agencies that implement Microsoft Exchange hybrid environments, perform the following actions by 9:00 AM EDT Monday, August 11, 2025, for all on-premises Exchange Servers not disconnected in Step 2: 

  1. Update to Latest Cumulative Update (CU)
    1. Use the Exchange Update Wizard to plan your upgrade path.
    2. Install the latest CU supported by your environment:
      1. Exchange 2019: CU14 or CU15
      2. Exchange 2016: CU23
  2. Apply April 2025 Hotfix Updates (HUs), Validate, and Monitor
    1. These HUs introduce support for the dedicated Exchange hybrid application in Entra ID.
    2. Ensure the update is applied to all hybrid Exchange Servers.
    3. Re-run the Health Checker script post-update.
    4. Monitor for known issues (e.g., EdgeTransport.exe behavior with Azure RMS).
    5. Use SetupAssist and repair tools if installation issues arise.
  3. Transition to Dedicated Exchange Hybrid Application
    1. Replace the legacy shared service principal with the new dedicated hybrid app in Entra ID.
      1. Run .\ConfigureExchangeHybridApplication.ps1 

             -FullyConfigureExchangeHybridApplication

      2. Use an account that has Application Administrator role permissions in Entra ID (otherwise follow blog instructions for split configuration)
    2. Perform Credential Cleanup
      1. Run .\ConfigureExchangeHybridApplication.ps1 

             -ResetFirstPartyServicePrincipalKeyCredential

  4. Prepare for Microsoft Graph API Transition
    1. EWS calls from Exchange Server to Exchange Online will be deprecated.
    2. Begin planning to switch to Microsoft Graph API for hybrid functionality.
    3. This change will be enforced starting October 2025, with further Graph permission model updates due by October 2026.

By 5:00 PM EDT on Monday, August 11, 2025, ALL agencies must:

  1. Report to CISA using the CISA-provided template.

CISA Actions

  1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
  2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
  3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
  4. By December 1, 2025, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Duration

This Emergency Directive remains in effect until CISA determines that all agencies with Microsoft Exchange hybrid environments have performed all required actions from this Directive or the Directive is terminated through other appropriate action.

Additional Information

In addition to the requirement to disconnect end-of-life Microsoft Exchange servers identified by the Exchange Server Health Checker script, CISA highly recommends that agencies disconnect the "Last Exchange Server", which remains after an agency has transitioned to M365 Exchange. Guidance for decommissioning Exchange servers – How and when to decommission your on-premises Exchange servers in a hybrid deployment | Microsoft Learn


Visit https://www.cisa.gov/news-events/directives or contact the following for:

  • General information, assistance, and reporting – CyberDirectives@mail.cisa.dhs.gov
  • Reporting indications of compromise – central@mail.cisa.dhs.gov

Tags

Topics: Cybersecurity Best Practices

Related Directives

Apr 02, 2024

ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

Feb 09, 2024

Supplemental Direction V2: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Jan 31, 2024

Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Jan 19, 2024

ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA contact@mail.cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback