CyberHappenings logo

High-severity Microsoft Exchange vulnerability disclosed and actively exploited

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

A high-severity vulnerability in on-premise Microsoft Exchange servers is actively being exploited. CISA and Microsoft are collaborating to mitigate the threat. Organizations are urged to implement Microsoft's guidance to reduce risk. The vulnerability affects on-premise Microsoft Exchange servers, and exploitation can lead to unauthorized access and data breaches. The exact technical details of the vulnerability have not been disclosed to prevent further exploitation.

Timeline

  1. 06.08.2025 15:00 📰 1 articles

    High-severity Microsoft Exchange vulnerability disclosed and actively exploited

    A high-severity vulnerability in on-premise Microsoft Exchange servers is actively being exploited. CISA and Microsoft are collaborating to mitigate the threat. Organizations are urged to implement Microsoft's guidance to reduce risk. The vulnerability affects on-premise Microsoft Exchange servers, and exploitation can lead to unauthorized access and data breaches. The exact technical details of the vulnerability have not been disclosed to prevent further exploitation.

    Show sources

Information Snippets

Similar Happenings

Senator Wyden calls for FTC probe into Microsoft's role in ransomware attacks on U.S. critical infrastructure

U.S. Senator Ron Wyden has urged the Federal Trade Commission (FTC) to investigate Microsoft for alleged cybersecurity negligence that facilitated ransomware attacks on U.S. critical infrastructure, including healthcare networks. Wyden's call follows a ransomware attack on Ascension, a healthcare system, which resulted in the theft of personal and medical information of nearly 5.6 million individuals. The attack, attributed to the Black Basta ransomware group, exploited insecure default settings in Microsoft software and the RC4 encryption algorithm. The breach occurred when a contractor clicked on a malicious link in Microsoft's Bing search engine, leading to malware infection and subsequent elevated access to Ascension's network. Wyden's office highlighted Microsoft's continued support for RC4, an outdated and insecure encryption technology, as a significant vulnerability. Microsoft has acknowledged the issues and plans to deprecate RC4 support in future updates to Windows 11 and Windows Server 2025. The company also outlined mitigations to protect against Kerberoasting attacks, which target the Kerberos authentication protocol. Wyden's office urged Microsoft to warn customers about the dangers of using RC4 instead of AES 128/256, and Microsoft responded with a technical blog post in October 2024, which was criticized for not clearly conveying the warning to decision-makers. Microsoft is actively working to gradually remove RC4 and is providing advice for using the algorithm in the safest ways possible.

Exploit chain in Sitecore Experience Platform enables remote code execution

Three new vulnerabilities in the Sitecore Experience Platform can be chained to achieve remote code execution (RCE). The flaws include HTML cache poisoning, RCE through insecure deserialization, and information disclosure via the ItemService API. Patches for these vulnerabilities were released in June and July 2025. The exploit chain leverages a combination of pre-authentication and post-authentication vulnerabilities to compromise fully-patched instances of the platform. Additionally, a zero-day vulnerability (CVE-2025-53690) has been exploited by threat actors to deliver malware, including WeepSteel, and perform extensive reconnaissance and lateral movement. The flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2025 Sitecore guides. The attackers target the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690. The malicious payload dropped by the attackers is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information. The attack observed by Mandiant stemmed from a documentation issue involving sample machine keys provided for customer use. Sitecore advised customers to rotate and secure ASP.NET machine keys, encrypt elements in web.config files, and restrict access to administrators only. CISA has ordered FCEB agencies to update their Sitecore instances by September 25, 2025.

Citrix NetScaler ADC and Gateway vulnerabilities actively exploited

Citrix has released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway. One of these vulnerabilities, CVE-2025-7775, is a zero-day flaw actively exploited in the wild. The flaws affect various configurations and can lead to remote code execution, denial-of-service, or improper access control. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate the flaw within 48 hours. The vulnerabilities were discovered by security researchers Jimi Sebree, Jonathan Hetzer, and François Hämmerli. Nearly 20% of NetScaler assets identified are on unsupported, end-of-life versions, primarily in North America and the APAC region.

Russian State-Sponsored Hackers Exploit Cisco Vulnerability for Cyber Espionage

The Russian state-sponsored cyber espionage group Static Tundra is exploiting a seven-year-old vulnerability (CVE-2018-0171) in Cisco IOS and Cisco IOS XE software to establish persistent access to target networks. The group, linked to the FSB's Center 16 unit, targets telecommunications, higher education, manufacturing, and critical infrastructure sectors across North America, Asia, Africa, and Europe, including increased attacks in Ukraine since the start of the war. The attacks involve exploiting the Smart Install feature to execute arbitrary code and collect configuration files from thousands of networking devices. The group uses custom tools like SYNful Knock for persistence and employs SNMP to gain unauthorized access. The primary goal is long-term intelligence gathering, with a focus on strategic interests of the Russian government. The FBI and Cisco have issued advisories warning about the ongoing exploitation of this vulnerability, urging organizations to patch or disable the Smart Install feature. End-of-life devices are particularly vulnerable, as they no longer receive security updates, creating persistent attack vectors. The FBI has detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems. The same hacking group has previously targeted the networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The U.S. Department of State has offered a $10 million reward for information on three FSB officers involved in these cyberattacks, highlighting the group's extensive targeting of critical infrastructure and energy companies globally. The three officers, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, targeted over 380 energy-sector companies in 135 countries. They were involved in the Dragonfly campaign, which included obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise.

August 2025 Windows Security Updates Cause Recovery and Reset Failures

Microsoft's August 2025 Windows security updates cause failures in reset and recovery operations, streaming issues, and app installation problems on Windows 10 and older versions of Windows 11. The issue affects multiple system recovery and reset features, including 'Reset my PC' and the 'Fix problems using Windows Update' tool. The bug impacts specific Windows versions and updates, and Microsoft has released out-of-band updates to address the issues. The affected updates include KB5063875 for Windows 11 23H2 and 22H2, KB5063709 for Windows 10 22H2 and LTSC 2021 versions, and KB5063877 for Windows 10 LTSC 2019 versions. The issue also affects remote resets using the RemoteWipe CSP. Microsoft has confirmed the bug and is working on a resolution. They have previously addressed similar issues with Known Issue Rollback (KIR) fixes. Additionally, the August 2025 Windows security updates cause severe lag and stuttering issues with NDI streaming software on some Windows 10 and Windows 11 systems. Microsoft has released the KB5065426 and KB5065429 updates to fix these streaming issues. The August 2025 security updates also trigger unexpected User Account Control (UAC) prompts and app installation issues for non-admin users across all supported Windows versions. The issue is caused by a security patch addressing the CVE-2025-50173 Windows Installer privilege escalation vulnerability. The September 2025 Windows security update addresses this issue by reducing the scope for requiring UAC prompts for MSI repairs and enabling IT admins to disable UAC prompts for specific apps by adding them to an allowlist.