CISA; NSA Issue Guidance on Hardening Microsoft Exchange Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued new guidance for organizations to help them secure their on-premises Microsoft Exchange servers. The guidance document builds on the advice issued in August 2025 on mitigating a high-severity vulnerability in Microsoft Exchange Server – CVE-2025-53786 – that posed a significant risk to organizations with Microsoft Exchange hybrid-joined configurations.
The flaw could be exploited by an unauthenticated attacker to move laterally from an on-premises Exchange server to their Microsoft 365 cloud environment. While the vulnerability could only be exploited if an attacker first gained administrative access to the on-premises Exchange server, CISA was particularly concerned about how easy it was to escalate privileges and gain control of parts of the victim’s Microsoft 365 environment.
Cyber actors have been targeting on-premises Exchange servers in hybrid environments, and CISA is concerned about organizations using misconfigured or unprotected Microsoft Exchange servers, especially Exchange Server versions that have reached end-of-life. In such cases, there is a high risk of compromise. The guidance – Microsoft Exchange Server Security Best Practices – was developed by CISA and the NSA, with assistance provided by the Australian Cyber Security Centre and the Canadian Centre for Cyber Security (Cyber Centre). The document details proactive prevention measures and techniques for combating cyber threats and protecting sensitive data and communications.
“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The authoring agencies stress that the most effective defense against Microsoft Exchange threats is ensuring that Exchange is updated to the latest version and Cumulative Update (CU). If an unsupported version is still in use, it should be updated to a supported version. The only supported version for on-premises Exchange is Microsoft Exchange Server Subscription Edition (SE), as support ended for previous versions on October 14, 2025. Organizations should also ensure that Microsoft’s Emergency Mitigation Service is turned on, as it will automatically apply defensive rules, disable legacy protocols, and block specific patterns of malicious HTTP requests.
Organizations should maintain a regular patching cadence, applying the monthly security updates and hotfixes promptly, as well as the two CUs per year. CISA warns that threat actors usually develop exploits for Exchange vulnerabilities within a few days of patches being released. If immediate patching is not possible, organizations should implement Microsoft’s interim mitigations.
CISA recommends that organizations enforce a prevention posture to address Exchange threats. The guidance serves as a blueprint for strengthening security, and covers hardening authentication and access controls, enforcing strong encryption, implementing multifactor authentication, enforcing strict transport security configurations, adopting zero-trust security principles, and minimizing application attack surfaces. The guidance is focused on securing on-premises Exchange servers. Organizations with Exchange servers in hybrid environments should follow the advice in CISA’s August 2025 Emergency Directive.
