The Cybersecurity and Infrastructure Security Agency has issued Emergency Directive 25-02 to address a security flaw that could affect hybrid Microsoft Exchange users. The agency said Thursday that it is ordering federal agencies to respond to the risk by using Microsoft’s mitigation instructions.
The post-authentication vulnerability could allow hackers with administrative access to the Microsoft Exchange email server to gain more control and break into connected cloud systems. The agency has yet to find an attacker who uses the flaw to exploit its system, but the new common vulnerabilities and exposure, identified as CVE-2025-53786, could compromise its administrative controls over cloud services if it is left unresolved.
Join the Potomac Officers Club 2025 Homeland Security Summit on November 12 and learn about the Department of Homeland Security’s programs and strategic initiatives. Gain further insights on how the DHS counters the most critical threats, how it integrates artificial intelligence in its operations and more!
CISA’s Madhu Gottumukkala Shares Thoughts
Commenting on the security risk, CISA Acting Director Madhu Gottumukkala said the agency is “taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend.”
“The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment. While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive,” he added.
