https://www.cisa.gov/news-events/directives/ed-25-02-mitigate-microsoft-exchange-vulnerability
Security monitoring platform Shadowserver has identified more than 29,000 Microsoft Exchange servers that remain unpatched against a high-severity vulnerability that could enable attackers to achieve complete domain compromise in hybrid cloud environments. The flaw, tracked as CVE-2025-53786, affects Exchange Server 2016, 2019, and Microsoft Exchange Server Subscription Edition in hybrid configurations, allowing threat actors with administrative access to on-premises servers to escalate privileges in connected cloud environments by forging trusted tokens or API calls without leaving easily detectable traces.
The vulnerability prompted swift action from federal cybersecurity authorities, with CISA issuing Emergency Directive 25-02 just one day after Microsoft’s disclosure, ordering all Federal Civilian Executive Branch agencies to mitigate the flaw by Monday at 9:00 AM ET. Federal agencies must inventory their Exchange environments using Microsoft’s Health Checker script, disconnect unsupported public-facing servers from the internet, and update remaining servers to the latest cumulative updates with Microsoft’s April 2025 hotfix. The geographic distribution of unpatched servers shows over 7,200 IP addresses in the United States, more than 6,700 in Germany, and over 2,500 in Russia, highlighting the global scope of the exposure.
Microsoft disclosed the vulnerability as part of its Secure Future Initiative in April 2025, releasing guidance and hotfixes that support a new architecture using a dedicated hybrid app to replace the previously insecure shared identity mechanism between on-premises Exchange Server and Exchange Online. While Microsoft has not yet found evidence of active exploitation, the company tagged the vulnerability as “Exploitation More Likely” due to the potential for developing consistent exploit code that would increase its attractiveness to attackers. The risks extend beyond federal agencies, and all organisations using Exchange hybrid environments are strongly urged to adopt the same protective measures to prevent potential total domain compromise scenarios.