CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Emergency Directive 25-02 issued for Microsoft Exchange vulnerability affecting hybrid environments

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA) and international partners, has released the "Microsoft Exchange Server Security Best Practices" guidance. This guidance builds upon CISA’s Emergency Directive 25-02, which was issued to mitigate a Microsoft Exchange vulnerability affecting hybrid environments. The flaw, CVE-2025-53786, allows post-authentication privilege escalation and exploitation of hybrid-joined configurations. The vulnerability affects hybrid Microsoft Exchange environments, where an attacker with administrative access can exploit the flaw to impact cloud-connected services. CISA has not observed active exploitation but warns of significant risks if left unaddressed. The guidance recommends proactive prevention techniques, including restricting administrative access, implementing multifactor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles. Additionally, CISA encourages organizations to evaluate the use of cloud-based email services. The directive mandates immediate action from federal civilian agencies to implement vendor mitigation guidance. CISA will assess and support compliance, providing additional resources as necessary. Over 29,000 Exchange servers were found vulnerable to CVE-2025-53786 attacks days after CISA's directive, highlighting the urgency of the situation. The agencies also recommend decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365, enabling certificate-based signing for the Exchange Management Shell, and implementing HTTP Strict Transport Security. They advise deploying Kerberos and SMB instead of NTLM to secure authentication processes and configuring Transport Layer Security to protect data integrity and Extended Protection to defend against Adversary-in-the-Middle (AitM), relay, and forwarding attacks. The agencies emphasize the importance of support lifecycles, noting that some Exchange versions have reached end-of-life (EOL). They strongly recommend minimizing risk by migrating to a supported email software or service, or disconnecting unsupported and EOL systems. The guidance highlights the importance of steady cooperation across government and allied cybersecurity organizations despite political friction and a prolonged government shutdown.

Timeline

  1. 30.10.2025 14:00 3 articles · 11d ago

    CISA, NSA and global partners release security blueprint for Microsoft Exchange Servers

    The agencies emphasize the importance of support lifecycles, noting that some Exchange versions have reached end-of-life (EOL). They strongly recommend minimizing risk by migrating to a supported email software or service, or disconnecting unsupported and EOL systems. The guidance highlights the importance of steady cooperation across government and allied cybersecurity organizations despite political friction and a prolonged government shutdown. The agencies also recommend enabling certificate-based signing for the Exchange Management Shell and implementing HTTP Strict Transport Security. They advise deploying Kerberos and SMB instead of NTLM to secure authentication processes and configuring Transport Layer Security to protect data integrity and Extended Protection to defend against Adversary-in-the-Middle (AitM), relay, and forwarding attacks.

    Show sources
    Open in new tab
  2. 07.08.2025 15:00 3 articles · 3mo ago

    CISA issues Emergency Directive 25-02 for Microsoft Exchange vulnerability

    Over 29,000 Exchange servers were found vulnerable to CVE-2025-53786 attacks days after CISA's directive, highlighting the urgency of the situation. The guidance recommends decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. The agencies also advise enabling certificate-based signing for the Exchange Management Shell and implementing HTTP Strict Transport Security. They recommend deploying Kerberos and SMB instead of NTLM to secure authentication processes and configuring Transport Layer Security to protect data integrity and Extended Protection to defend against Adversary-in-the-Middle (AitM), relay, and forwarding attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Open in new tab

Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 183 flaws

Microsoft's October 2025 Patch Tuesday marks the end of free security updates for Windows 10, with the release of the final cumulative update KB5066791. This update addresses 183 vulnerabilities, including six zero-day flaws, and is mandatory for all Windows 10 users. Extended Security Updates (ESU) are available for purchase for up to three years for enterprise users and one year for consumers. The patches cover a range of vulnerabilities, including critical remote code execution and elevation of privilege issues. The zero-day vulnerabilities affect various components, such as Windows SMB Server, Microsoft SQL Server, Windows Agere Modem Driver, Windows Remote Access Connection Manager, AMD EPYC processors, and TCG TPM 2.0. Some of these flaws have been publicly disclosed or actively exploited. The update also includes fixes for vulnerabilities in third-party components, such as IGEL OS and AMD EPYC processors. Additionally, Microsoft Office users should be aware of CVE-2025-59227 and CVE-2025-59234, which exploit the Preview Pane. The update is the largest on record for Microsoft, with 183 CVEs, pushing the number of unique vulnerabilities released so far this year to more than 1,021. The update includes fixes for a wide range of vulnerabilities, including remote code execution (RCE), elevation of privilege, data theft, denial of service (DoS), and security feature bypass issues. The update also marks the end of life for Windows 10, meaning Microsoft will no longer issue regular patches for vulnerabilities in the operating system as part of its regular Patch Tuesday updates. Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are also reaching end-of-life. Windows 10 users can opt for Extended Security Updates (ESU) for one year at a cost of $30, or install Linux as an alternative. Linux Mint is recommended for Windows 10 users transitioning to Linux, with compatibility for most computers from the last decade. The October 2025 Windows security updates cause smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server releases. The issue is due to a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services. Affected users may experience various symptoms, including the inability to sign documents, failures in applications using certificate-based authentication, and smart cards not being recognized as CSP providers in 32-bit apps. The issue can be detected by the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update. The fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation. Users experiencing authentication problems can manually resolve the issue by disabling the DisableCapiOverrideForRSA registry key. The DisableCapiOverrideForRSA registry key will be removed in April 2026, and users are advised to work with their application vendors to resolve the underlying problem. Microsoft also fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates. Microsoft has released out-of-band (OOB) security updates for a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. Microsoft has released security updates for all impacted Windows Server versions, including Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012. Workarounds for admins who can't immediately install these emergency patches include disabling the WSUS Server Role or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall. The OOB update supersedes all previous updates for affected versions, and users are advised to install it as soon as possible.

Open in new tab

Proactive Threat Hunting Enhances Cybersecurity Readiness

Proactive threat hunting is crucial for enhancing cybersecurity readiness beyond traditional awareness campaigns. It identifies and mitigates vulnerabilities before they can be exploited, focusing on the proactive left side of the Cyber Defense Matrix. This approach involves continuous threat exposure management (CTEM), which models threats, validates controls, and secures the business environment. By collecting comprehensive data, mapping attack paths, and prioritizing by business impact, organizations can achieve a deeper understanding of their security posture and strengthen their defenses. Security Awareness Month highlights the importance of human behavior in cybersecurity but acknowledges that awareness alone is insufficient. Proactive threat hunting complements awareness by providing actionable insights and continuous validation of security measures.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances were vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit. Cisco disclosed a new attack variant targeting devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases susceptible to CVE-2025-20333 and CVE-2025-20362. The new attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions. Cisco credited security researcher Jahmel Harris for discovering and reporting the vulnerabilities. Cisco addressed two critical security flaws in Unified Contact Center Express (Unified CCX) that could permit an unauthenticated, remote attacker to upload arbitrary files, bypass authentication, execute arbitrary commands, and elevate privileges to root. Cisco has shipped patches for a high-severity DoS bug (CVE-2025-20343) in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to cause a susceptible device to restart unexpectedly. Cisco warned that vulnerabilities CVE-2025-20362 and CVE-2025-20333 are now being exploited to force ASA and FTD firewalls into reboot loops. Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from nearly 50,000 unpatched firewalls in September. Cisco disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. Cisco attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes. On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities, causing unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).

Open in new tab