The Cybersecurity and Infrastructure Security Agency recently issued insight on two key Microsoft vulnerabilities.
Most recently, CISA announced a newly disclosed high-severity vulnerability, CVE-2025-53786, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service.
While Microsoft has stated there is no observed exploitation at the time of this alert’s publication, CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise. This guidance entails:
- If using Exchange hybrid, review Microsoft’s guidance Exchange Server Security Changes for Hybrid Deployments to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU).
- Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and follow Microsoft’s configuration instructions Deploy dedicated Exchange hybrid app.
- For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft’s Service Principal Clean-Up Mode for guidance on resetting the service principal’s keyCredentials.
- Upon completion, run the Microsoft Exchange Health Checker to determine if further steps are required.
CISA highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be discontinued if still in use.
CISA also published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities:
- CVE-2025-49704 [CWE-94: Code Injection],
- CVE-2025-49706 [CWE-287: Improper Authentication],
- CVE-2025-53770 [CWE-502: Deserialization of Untrusted Data], and
- CVE-2025-53771 [CWE-287: Improper Authentication]
Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as “ToolShell”) to gain unauthorized access to on-premises SharePoint servers. CISA analyzed six files, including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells.
Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data. CISA added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities Catalog on July 22, 2025, and CVE-2025-53770 on July 20, 2025.
CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this MAR to identify malware. For more information on the malware files and YARA rules for detection, see MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities.
