The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), along with international partners in Australia and Canada, have released guidance for hardening on-premises Microsoft Exchange Server instances from potential abuse.
“By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting Zero Trust (ZT) security model principles, organizations can significantly strengthen their defenses against potential cyberattacks,” CISA said.
The agencies said malicious activity targeting Microsoft Exchange Server continues to occur, with unprotected and misconfigured instances facing the brunt of the attack. We recommend that organizations retire on-premises or hybrid Exchange servers that are no longer supported after migrating to Microsoft 365.
Some of the best practices outlined below are:
Maintain the frequency of security updates and patches Migrate end-of-support Exchange servers Ensure the Exchange Emergency Mitigation Service is enabled Apply and maintain Exchange Server baselines, Windows security baselines, and applicable email client security baselines Antivirus solutions, Windows Antimalware Scanning Interface (AMSI), attack surface reduction (ASR), and AppLocker and App Control for Business, endpoint detection and response, Exchange Server Enable anti-spam and anti-malware features in the Exchange Admin Center (EAC) and remote PowerShell to restrict administrative access, enforce the principle of least privilege, and strengthen authentication and encryption by configuring Transport Layer Security (TLS), HTTP Strict Transport Security (HSTS), Extended Protection (EP), Kerberos and Server Message Block (SMB) instead of NTLM, and multi-factor authentication. Disable remote PowerShell access for users in the Exchange Management Shell (EMS).
“Ensuring the security of Exchange servers is essential to maintaining the integrity and confidentiality of corporate communications and functions,” the agency notes. “Continuously assessing and strengthening the cybersecurity posture of these communications servers is critical to staying ahead of evolving cyber threats and robustly protecting Exchange as a core part of many organizations’ operations.”
CISA Update CVE-2025-59287 Alert
This guidance comes a day after CISA updated its alert to include additional information related to CVE-2025-59287, a newly repatched security flaw in the Windows Server Update Services (WSUS) component that could lead to remote code execution.
The agency recommends that organizations identify servers that are susceptible to exploitation, apply out-of-band security updates released by Microsoft, and investigate signs of threat activity on their networks.
Monitor and scrutinize suspicious activity and child processes spawned with SYSTEM level permissions, especially those from wsusservice.exe and w3wp.exe. Monitor and probe nested PowerShell processes using Base64-encoded PowerShell commands.
This development follows a Sophos report that threat actors are exploiting this vulnerability to collect sensitive data from US organizations across a variety of industries including universities, technology, manufacturing, and healthcare. This exploit activity was first detected on October 24, 2025, the day after Microsoft issued an update.
In these attacks, attackers have been found to leverage vulnerable Windows WSUS servers to execute Base64-encoded PowerShell commands and leak the results to webhooks.[.]This corroborates other reports from Site Endpoint, Darktrace, Huntress, and Palo Alto Networks Unit 42.
The cybersecurity company told Hacker News that it has so far identified six incidents in customer environments, but further investigation has confirmed there are at least 50 victims.
“This activity shows that attackers moved quickly to exploit this critical vulnerability in WSUS and collect valuable data from vulnerable organizations,” Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, told Hacker News in a statement.
“This is an early testing or reconnaissance phase, and the attackers may be analyzing the data they have currently collected to identify new opportunities for compromise. While we do not see any further mass exploitation at this time, it is still early days and defenders should treat this as an early warning. Organizations should ensure that their systems are fully patched and that their WSUS servers are securely configured to reduce the risk of exploitation.”
Michael Haag, principal threat research engineer at Cisco-owned Splunk, said in a post on I mentioned that I discovered an alternative attack chain that uses “cmd.exe” to trigger the execution of “cmd.exe”.
“This path causes a 7053 event log crash,” Haag noted, adding that it matches the stack trace found by Huntress in “C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log.”
Source link
