The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.
“By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks,” CISA said.
The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.
Some of the best practices outlined are listed below –
- Maintain security updates and patching cadence
- Migrate end-of-life Exchange servers
- Ensure Exchange Emergency Mitigation Service remains enabled
- Apply and maintain the Exchange Server baseline, Windows security baselines, and applicable mail client security baselines
- Enable antivirus solution, Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), and AppLocker and App Control for Business, Endpoint Detection and Response, and Exchange Server’s anti-spam and anti-malware features
- Restrict administrative access to the Exchange Admin Center (EAC) and remote PowerShell and apply the principle of least privilege
- Harden authentication and encryption by configuring Transport Layer Security (TLS), HTTP Strict Transport Security (HSTS), Extended Protection (EP), Kerberos and Server Message Block (SMB) instead of NTLM, and multi-factor authentication
- Disable remote PowerShell access by users in the Exchange Management Shell (EMS)
“Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions,” the agencies noted. “Continuously evaluating and hardening the cybersecurity posture of these communication servers is critical to staying ahead of evolving cyber threats and ensuring robust protection of Exchange as part of the operational core of many organizations.”
CISA Updates CVE-2025-59287 Alert
The guidance comes a day after CISA updated its alert to include additional information related to CVE-2025-59287, a newly re-patched security flaw in the Windows Server Update Services (WSUS) component that could result in remote code execution.
The agency is recommending that organizations identify servers that are susceptible to exploitation, apply the out-of-band security update released by Microsoft, and investigate signs of threat activity on their networks –
- Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe
- Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands
The development follows a report from Sophos that threat actors are exploiting the vulnerability to harvest sensitive data from U.S. organizations spanning a range of industries, including universities, technology, manufacturing, and healthcare. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update.
In these attacks, the attackers have been found to leverage vulnerable Windows WSUS servers to run a Base64-encoded PowerShell commands, and exfiltrate the results to a webhook[.]site endpoint, corroborating other reports from Darktrace, Huntress, and Palo Alto Networks Unit 42.
The cybersecurity company told The Hacker News that it has identified six incidents in its customer environments to date, although further research has flagged at least 50 victims.
“This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations,” Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, told The Hacker News in a statement.
“It’s possible this was an initial test or reconnaissance phase, and that attackers are now analyzing the data they’ve gathered to identify new opportunities for intrusion. We’re not seeing further mass exploitation at this time, but it’s still early, and defenders should treat this as an early warning. Organizations should ensure their systems are fully patched and that WSUS servers are configured securely to reduce the risk of exploitation.”
Michael Haag, principal threat research engineer at Cisco-owned Splunk, noted in a post on X that CVE-2025-59287 “goes deeper than expected” and that they found an alternate attack chain that involves the use of the Microsoft Management Console binary (“mmc.exe”) to trigger the execution of “cmd.exe” when an admin opens WSUS Admin Console or hits “Reset Server Node.”
“This path triggers a 7053 Event Log crash,” Haag pointed out, adding it matches the stack trace spotted by Huntress at “C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log.”
