A vulnerability in Microsoft Exchange leaves over 29,000 servers vulnerable. Learn how this unpatched security hole could compromise entire networks and what CISA is urging organisations to do now.
A critical security flaw in Microsoft Exchange servers has left thousands of servers exposed to a major security risk. The unpatched vulnerability, which affects hybrid cloud setups, could allow a hacker to gain complete control over an organisation’s entire network.
The flaw, officially known as CVE-2025-53786, impacts Exchange Server 2016, 2019, and the Subscription Edition. While no attacks have been officially confirmed, security experts believe that exploit code is likely to be developed, making these servers an attractive target for cybercriminals. The vulnerability lets hackers who already have some access to an on-site Exchange server expand their privileges into the connected Microsoft cloud environment, making it hard for organisations to spot the breach.
Government Agencies Take Action
In response to this threat, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive. This order required all federal agencies with affected systems to fix the problem by Monday, August 11, at 9:00 AM ET.
CISA Acting Director Madhu Gottumukkala emphasised that while the directive is mandatory for federal agencies, the risks apply to all organisations using this environment. He strongly urged everyone to take the same protective measures.
A Global Problem
Scans from the security platform Shadowserver show that despite the urgency, over 29,000 servers remained unpatched as of August 10, just before CISA’s deadline. The US has the largest number of vulnerable servers, with more than 7,200 exposed.
Germany is close behind with over 6,700, followed by Russia with over 2,500. Shadowserver first detected this issue on August 7, noting “Over 28K IPs unpatched” and listing the US, Germany, and Russia as the top affected countries.
Microsoft had already provided a hotfix and guidance for this issue as part of its Secure Future Initiative. Organisations are being advised to apply the latest updates and, for older systems, to disconnect them from the internet entirely. The failure to do so could give attackers an easy way from on-premises systems to the cloud, potentially compromising an organisation’s entire data and services.
Expert Insight
Martin Jartelius, the CTO at Outpost24, commented on the situation, acknowledging that the large number of unpatched servers is “concerning, but not surprising.” He explained that many organisations were already running older, unmaintained systems. While some organisations with hybrid setups might believe they aren’t at risk, Jartelius warns that leaving a known flaw unpatched is an “open invitation to attackers.” He advises all organisations to continuously assess and fix these issues to strengthen their security.
