(TLP:CLEAR) WaterISAC Notification – Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786)
Created: Thursday, August 7, 2025 - 16:01
Categories: Cybersecurity
Summary: Members using a Microsoft Exchange hybrid deployment (combination of on-premise Microsoft Exchange Server and Exchange Online) are encouraged to review this notification and address accordingly.
WaterISAC is providing this information for situational awareness and is not aware of any related incidents impacting the water sector. Still, WaterISAC encourages members using Microsoft Exchange server to review Microsoft’s guidance and apply recommended mitigations. This may require utilities that outsource technology support to consult with their service providers for assistance with remediation actions.
What you need to know: CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service.
CISA also issued an Emergency Directive that directs all Federal Civilian Executive Branch agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. Access the alert here.
Mitigation Recommendations:
While Microsoft has stated it is not aware of exploitation at the time of publication, CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below. Failure to address impacted systems accordingly leaves the organization vulnerable to a hybrid cloud and on-premises total domain compromise.
Organizations should review Microsoft’s blog Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions for additional guidance as it becomes available.
Incident Reporting:
WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.