Microsoft’s monthly batch of patches includes a vulnerability affecting on-premises Microsoft Exchange servers that the company and federal authorities warned about in a series of alerts last week. In its latest security update Tuesday, Microsoft maintained the flaw hasn’t been exploited in the wild and designated the exploitability of the defect — CVE-2025-53786 — as “more likely.”
Organizations have not applied the previously issued patch for the high-severity vulnerability en masse, despite the serious alarm raised by officials. More than 28,000 accessible Microsoft Exchange servers remained unpatched as of Monday, according to Shadowserver scans.
The Cybersecurity and Infrastructure Security Agency’s deadline for all federal agencies to update eligible servers with a previously issued hotfix and disconnect outdated Exchange servers passed on Monday.
Microsoft addressed 111 vulnerabilities affecting its various enterprise products, cloud services and foundational Windows systems in this month’s security update. The set of disclosures includes four additional defects affecting Microsoft Exchange Server.
The security update also comes on the heels of an attack spree targeting zero-day vulnerabilities in on-premises Microsoft SharePoint servers. More than 400 organizations were actively compromised by those attacks, including the Departments of Energy, Homeland Security and Health and Human Services.
Those zero-days — CVE-2025-53770 and CVE-2025-53771 — are variants of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — that Microsoft addressed in its security update last month.
Microsoft said none of the vulnerabilities in this month’s update are actively exploited. Yet, researchers described CVE-2025-53779, an elevation of privilege vulnerability affecting Windows Kerberos, as a zero-day because functional exploit code exists.
“While Microsoft rates this flaw as ‘exploitation less likely’ with ‘moderate’ severity, the combination of a path traversal issue in a core authentication component like Kerberos and its potential high impact is concerning,” Mike Walters, president and co-founder of Action1, said in an email. “The need for high privileges may create a false sense of security, as accounts with these rights are common in decentralized IT environments. Once compromised, they can quickly lead to full domain takeover.”
The most critical vulnerability — CVE-2025-53767 — is a maximum-severity defect affecting Azure OpenAI, a cloud-based platform that provides access to OpenAI’s large language models. Additionally, a pair of critical, remote-code execution vulnerabilities with CVSS scores of 9.8 — CVE-2025-53766 and CVE-2025-50165 — affect Windows GDI+ and the Microsoft Graphics Component, respectively.
The vulnerability in Microsoft Graphics Component could attract threat groups due to its high rating and ubiquitous use across environments. “The attack vector is incredibly broad, as the vulnerability is triggered when the operating system processes a specially crafted JPEG image,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, said in an email.
“This means any application that renders images — from email clients generating previews and instant messaging apps displaying photos, to office documents with embedded pictures — can become an in for the attack,” McCarthy added.
The remaining critical vulnerabilities in this month’s security update include CVE-2025-53792, which affects Azure Portal, and CVE-2025-50171, which affects Remote Desktop Server.
Nearly 2 in 5 CVEs Microsoft patched this month are elevation of privilege vulnerabilities, reflecting an “upward trend in post-compromise vulnerabilities over code execution bugs,” Satnam Narang, senior staff research engineer at Tenable, said in an email.
Microsoft’s monthly security fix includes 17 vulnerabilities that affect Microsoft Office and standalone Office products. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft Patch Tuesday follows SharePoint attacks, Exchange server warnings appeared first on CyberScoop.
LAS VEGAS — Federal cyber authorities issued an alert Wednesday evening about a high-severity vulnerability affecting on-premises Microsoft Exchange servers shortly after a researcher presented findings of the defect at Black Hat.
Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild.
While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.
Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment.
Attackers could escalate privileges in an organization’s connected cloud environment because on-premises and cloud-based versions of Exchange share the same permissions in hybrid configurations, Microsoft said in its advisory. The vulnerability affects Entra ID, Microsoft’s identity and access management service, potentially exposing a path for attackers to move from a compromised on-premises Exchange server to a connected cloud-based counterpart.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive Thursday requiring all federal agencies to run Microsoft’s Exchange Server Health Checker script, update all servers eligible for the hot fix updates and disconnect all end-of-life Exchange servers by 9 a.m. EDT Monday.
“This vulnerability poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance and immediate mitigation is critical,” CISA said in the emergency directive.
“Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s Microsoft 365 Exchange Online environment.”
Microsoft said it already addressed the vulnerability in April when it introduced changes to improve the security of Exchange Server hybrid deployments. The company and CISA urged organizations to apply Microsoft’s April 2025 Exchange Server hot fix updates to on-premises Exchange servers, implement configuration changes and clear certificates from the shared service principals.
Starting later this month, Microsoft said it will temporarily block Exchange Web Services traffic using the shared service principal. That block will be permanent by the end of October, the company said.
The move is part of Microsoft’s strategy to accelerate and eventually force customers to adopt its dedicated Exchange hybrid app. “Even though adoption of server versions that support dedicated hybrid app has been good, the number of customers who have created the dedicated app remains very low,” Microsoft said in a blog post.
CISA also advised organizations to disconnect any internet-exposed and end-of-life versions of Exchange Server and SharePoint Server.
The coordinated disclosure of the vulnerability comes less than three weeks after security researchers across the industry sounded the alarm about a mass attack spree linked to a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers. More than 400 organizations were impacted by those attacks, including multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services.
This story was updated Aug. 7 with details on CISA’s emergency directive.
The post CISA, Microsoft warn organizations of high-severity Microsoft Exchange vulnerability appeared first on CyberScoop.
U.S. intelligence agencies launched cyberattacks on two Chinese military enterprises dating back to 2022, in one case exploiting a Microsoft zero-day, China alleged Friday.
The Cyber Security Association of China said that in the first case, U.S. agencies from July of 2022 to July of 2023 “exploited a zero-day vulnerability in Microsoft Exchange Mail to attack and control the mail server of a major Chinese military enterprise for nearly a year,” according to a Google translation of the statement. They then used that access to steal data, the statement continues.
In the second case, the association said the U.S. agencies “launched a cyberattack against a Chinese military enterprise in the communications and satellite internet sectors” from July to November of last year by exploiting vulnerabilities in electronic file systems, where they also stole information. The statement didn’t name either enterprise.
While Chinese allegations of U.S. government hacking have become increasingly common — including a batch of allegations in April and in December of last year — the latest accusation is notable for its assertion that the agencies exploited a zero-day, or previously unknown and unpatched vulnerability, at U.S.-headquarted Microsoft.
Last week, Microsoft accused Chinese government-linked hackers of exploiting zero-days in its Sharepoint product in its own most recent finger-pointing at Beijing.
The Office of the Director of National Intelligence did not immediately respond to a request for comment Friday.
Asked on Fox News in June about Chinese hacking and theft of U.S. intellectual property, President Donald Trump answered bluntly.
“You don’t think we do that to them? We do. We do a lot of things,” Trump said. “That’s the way the world works. It’s a nasty world.”
China has also alleged cyberattacks from other governments, particularly from Taiwan, even as it has focused much of its attention on the United States. It tallied 600 foreign government-level attacks in 2024 alone.
“Hacker groups, particularly those affiliated with US intelligence agencies, leverage established cyberattack teams, extensive supporting engineering systems, a standardized attack equipment arsenal, and robust vulnerability analysis and discovery capabilities to conduct attacks and infiltration against [China’s] critical information infrastructure, important information systems, and key personnel, posing a serious threat to national cybersecurity,” the Friday statement reads.
The post China accuses US of exploiting Microsoft zero-day in cyberattack appeared first on CyberScoop.
Beau Bullock // Overview Microsoft Exchange users have the power to grant other users various levels of access to their mailbox folders. For example, a user can grant other users […]
The post Abusing Exchange Mailbox Permissions with MailSniper appeared first on Black Hills Information Security, Inc..
Login