Press Release

CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability

Released

August 07, 2025

Related topics:

Cyber Threats and Advisories

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-02 in response to a vulnerability that impacts hybrid Microsoft Exchange users. This post-authentication vulnerability allows a cyber threat actor with administrative access to an Exchange server to escalate privileges and exploit vulnerable hybrid-joined configurations against the organization’s connected cloud environment. Federal civilian agencies are directed to take immediate action and implement vendor mitigation guidance.

At this time, CISA is not aware of active exploitation. However, the new common vulnerabilities and exposure (CVE), CVE-2025-53786, could severely impact an organization’s identity integrity and administrative access across cloud-connected services if it is not addressed.

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend,” said CISA Acting Director Madhu Gottumukkala. “The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment. While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive.”

As federal civilian agencies implement this mandate, CISA will assess and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

For more information on CISA Directives, visit Cybersecurity Directives.

###

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.

CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability

CISA Issues Draft Software Bill of Materials Guide for Public Comment

CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security

CISA Issues Alert on Vulnerability affecting Microsoft Exchange

CISA Statement on Cyber-Related Alerts and Notifications

CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability

Related Articles

CISA Issues Draft Software Bill of Materials Guide for Public Comment

CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security

CISA Issues Alert on Vulnerability affecting Microsoft Exchange

CISA Statement on Cyber-Related Alerts and Notifications