On August 7, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive. This directive aimed to address the critical vulnerability recently discovered in Microsoft Exchange Server. This vulnerability is particularly worrisome for federal agencies that have adopted hybrid environments, where on-premise services still connect with cloud-based offerings. CISA’s directive mandates that Federal Civilian Executive Branch (FCEB) agencies implement essential mitigations by 9 a.m. EDT on August 11, 2025, to protect sensitive information and secure their networks.
The CVE-2023-38633 vulnerability allows bad actors to take advantage of these impersonation tokens. This gives them unlimited access to any hybrid user in the tenant for a whole day. Alarmingly, these tokens don’t even produce logs when they’re issued, making the detection and subsequent response to unauthorized access a herculean task. CISA urges all agencies to read up on Exchange Server security adjustments related to hybrid operations to best counter this risk.
Mitigation Measures
CISA strongly encourages you to apply the April 2025 Hot Fix. Implementing this action will ensure that you are taking measures to combat the vulnerability named, and protect your system. This fix is indispensable towards improving security across hybrid ecosystems. Further, agencies are encouraged to implement based off configuration instructions specified for the dedicated hybrid app. This focused application is intended to strengthen security infrastructure and lessen the risk of abuse or misuse.
Additionally, Microsoft will begin to enforce a temporary block on EWS traffic using the Exchange Online shared service principal. This decision is part of a comprehensive strategy. Its goal is to increase the adoption of the dedicated hybrid app and improve security in hybrid setups.
“This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance.” – CISA
Exploitation Techniques
Cybercriminals exploit this vulnerability using sophisticated techniques. In it, they deploy two Base64-encoded DLL binaries. Further, they leverage four Active Server Page Extended (ASPX) files to pull down machine key settings from an ASP.NET app’s configuration. In doing so, they can upload a web shell that lets them execute commands and upload files, all while being able to hide in plain sight.
The threat extends past merely obtaining access. It involves the potential theft of cryptographic keys and the running of Base64-encoded PowerShell commands. Without authorization, these actions can fingerprint host systems and exfiltrate sensitive data. Organizations need to move quickly to combat this danger.
“Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint the host system and exfiltrate data.” – CISA
Recommendations for Agencies
CISA’s directive is a reminder of the need for all FCEB agencies to make implementation of security modifications a top priority as they deploy these hybrid systems. So organizations need to protect their on-premise deployments of Exchange Server. These versions both use certificate credentials to authenticate with Exchange Online, so they must be properly protected. Neglecting to do so can lead to cloud services being exploitably exposed, adding even more risk to the already dangerous potential of this CVE.
Microsoft has doubled down on the need for caution with all companies utilizing hybrid setups. The attacker who gets admin access to an on-prem Exchange server is a serious threat. They are then able to escalate privileges within the connected cloud environment, often doing so without leaving observable traces.
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces.” – Microsoft
If your organization has ever configured Exchange hybrid or OAuth authentication in the past, buckle up! If you are done using those configurations, reset the service principal’s key credentials immediately to avoid any abuse. This step is important in reducing risks related to shared service principals in hybrid environments.
“This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.” – Microsoft