CISA issues emergency directive for Microsoft Exchange vulnerability mitigation
Summary
Hide â˛
Show âŧ
The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-02 to address a post-authentication vulnerability in hybrid Microsoft Exchange environments. This vulnerability, designated CVE-2025-53786, allows threat actors with administrative access to escalate privileges and exploit connected cloud environments. Federal civilian agencies are required to immediately implement vendor mitigation guidance. No active exploitation has been reported, but the vulnerability could severely impact identity integrity and administrative access if left unaddressed. CISA Acting Director Madhu Gottumukkala emphasized the significant risk posed by this vulnerability to federal systems and urged all organizations to adopt the directive's actions.
Timeline
-
07.08.2025 15:00 đ° 1 articles
CISA issues emergency directive for Microsoft Exchange vulnerability mitigation
On August 7, 2025, CISA issued Emergency Directive 25-02 to address a post-authentication vulnerability in hybrid Microsoft Exchange environments. This vulnerability, designated CVE-2025-53786, allows threat actors with administrative access to escalate privileges and exploit connected cloud environments. Federal civilian agencies are required to immediately implement vendor mitigation guidance.
Show sources
- CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability â www.cisa.gov â 07.08.2025 15:00
Information Snippets
-
CISA issued Emergency Directive 25-02 on August 7, 2025.
First reported: 07.08.2025 15:00đ° 1 source, 1 articleShow sources
- CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability â www.cisa.gov â 07.08.2025 15:00
-
The vulnerability, CVE-2025-53786, affects hybrid Microsoft Exchange environments.
First reported: 07.08.2025 15:00đ° 1 source, 1 articleShow sources
- CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability â www.cisa.gov â 07.08.2025 15:00
-
The vulnerability allows privilege escalation and exploitation of connected cloud environments.
First reported: 07.08.2025 15:00đ° 1 source, 1 articleShow sources
- CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability â www.cisa.gov â 07.08.2025 15:00
-
No active exploitation of CVE-2025-53786 has been reported.
First reported: 07.08.2025 15:00đ° 1 source, 1 articleShow sources
- CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability â www.cisa.gov â 07.08.2025 15:00
-
Federal civilian agencies are mandated to implement vendor mitigation guidance.
First reported: 07.08.2025 15:00đ° 1 source, 1 articleShow sources
- CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability â www.cisa.gov â 07.08.2025 15:00
-
CISA will assess and support agency adherence to the directive.
First reported: 07.08.2025 15:00đ° 1 source, 1 articleShow sources
- CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability â www.cisa.gov â 07.08.2025 15:00
Similar Happenings
Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957
A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.
Active exploitation of TP-Link TL-WA855RE Wi-Fi range extender vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a missing authentication vulnerability in TP-Link TL-WA855RE Wi-Fi range extender products. The flaw, tracked as CVE-2020-24363, allows attackers on the same network to send unauthenticated requests for a factory reset and reboot, potentially gaining administrative access. The vulnerability was disclosed in August 2020 and has been resolved by TP-Link in firmware updates. However, the product is now discontinued, and users are advised to discontinue its use. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it by September 23, 2025. On September 4, 2025, CISA added two additional TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its KEV catalog, noting evidence of active exploitation. These vulnerabilities affect multiple TP-Link router models, some of which have reached end-of-life status. TP-Link released firmware updates in November 2024 to address these issues, but recommends upgrading to newer hardware for enhanced protection.
Active Exploitation of FreePBX Zero-Day Vulnerability CVE-2025-57819
A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. The vulnerability affects versions 15, 16, and 17 of FreePBX. Exploitation began on or before August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Users are advised to upgrade to the latest supported versions and restrict public access to the administrator control panel. Sangoma has released patches for the vulnerability and provided indicators-of-compromise (IOCs) to help administrators detect exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply fixes by September 19, 2025.
Chinese State-Sponsored Actors Compromise Global Critical Infrastructure Networks
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.
Apple zero-day flaw in Image I/O framework exploited in targeted attacks
Apple has patched a zero-day vulnerability in the Image I/O framework (CVE-2025-43300) exploited in targeted attacks. The flaw, an out-of-bounds write issue, could lead to memory corruption or remote code execution. The vulnerability affects multiple iOS, iPadOS, and macOS versions. Apple has released updates for iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. The flaw was exploited in sophisticated attacks against specific individuals. The vulnerability impacts a wide range of devices, including iPhone XS and later, various iPad models, and Macs running macOS Sequoia, Sonoma, and Ventura. Users are advised to update their devices immediately to mitigate the risk. The flaw was discovered internally by Apple and addressed with improved bounds checking. Apple has fixed a total of seven zero-days exploited in real-world attacks since the start of the year. The attacker's identity and specific targets remain unknown, but the vulnerability was likely weaponized as part of highly targeted attacks. The attacks have been described as 'extremely sophisticated,' suggesting nation-state involvement or spyware activity. Apple has previously disclosed other zero-day vulnerabilities this year, including CVE-2025-24200 and CVE-2025-43200, which were also exploited in targeted attacks. WhatsApp has patched a security vulnerability in its iOS and macOS messaging clients that was exploited in targeted zero-day attacks. The flaw (tracked as CVE-2025-55177) affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The vulnerability, in combination with the Apple zero-day flaw (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users. The flaw is an insufficient authorization of linked device synchronization messages. WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177. The attacks impacted both iPhone and Android users, including civil society individuals. WhatsApp sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the WhatsApp vulnerability (CVE-2025-55177) to its Known Exploited Vulnerabilities (KEV) catalog. The WhatsApp flaw was exploited as part of a highly-targeted spyware campaign by chaining it with the Apple zero-day flaw (CVE-2025-43300). Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.