CISA and NSA have released urgent security guidance for organizations running Microsoft Exchange Server, warning that on-premises instances face imminent threats from nation-state attackers and cybercriminals. The joint advisory, developed with Australia’s Cyber Security Centre and Canada’s Cyber Centre, addresses persistent exploitation attempts targeting both Exchange servers and Windows Server Update Services (WSUS) infrastructure.
Growing Exchange Server Threats
Exchange Server has become a prime target for sophisticated attacks, appearing 16 times on CISA’s Known Exploited Vulnerabilities catalog since 2021, with 12 of those vulnerabilities actively deployed in ransomware campaigns. The threat escalated significantly on October 14, 2025, when Microsoft ended support for Exchange 2016 and 2019, leaving countless organizations running end-of-life systems vulnerable to exploitation. According to CERT-Bund, approximately 92% of the 33,000 on-premise Exchange servers in Germany that are exposed online are running end-of-life versions.
Critical WSUS Vulnerability
Compounding security concerns is CVE-2025-59287, a critical Windows Server Update Service vulnerability that attackers are actively exploiting. Microsoft’s initial patch released on October 14 failed completely, forcing an emergency out-of-band security update on October 23. Threat actors exploited this window to breach systems, conduct reconnaissance, and exfiltrate sensitive data from multiple U.S. organizations spanning universities, technology, manufacturing, and healthcare sectors. Sophos has identified at least 50 victims to date, with six confirmed incidents in their customer environments.
Key Security Recommendations
Authentication and Access Control
Organizations must implement multi-factor authentication (MFA) for all privileged accounts and adopt Modern Authentication with OAuth 2.0. Administrative access to the Exchange Admin Center (EAC) and remote PowerShell should be restricted to dedicated systems following the principle of least privilege. CISA recommends disabling remote PowerShell access by users in the Exchange Management Shell and implementing role-based access control to manage permissions effectively.
Encryption and Transport Security
The guidance emphasizes enforcing Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS) to secure communications. Organizations should enable Extended Protection to block credential relay attacks and transition from outdated protocols like NTLM to more secure options such as Kerberos and SMBv3. Certificate-based signing for PowerShell scripts is also recommended to protect against tampering and unauthorized access.
Patching and Baseline Configuration
Maintaining a rigorous security update and patching cadence is critical for Exchange Server protection. Administrators should ensure servers run the latest Cumulative Updates and security patches using tools like Health Checker, SetupAssist, and Microsoft’s Update Guide. The Exchange Emergency Mitigation Service must remain enabled to automatically apply security fixes from Microsoft’s cloud, including IIS URL Rewrite rules and disabling vulnerable services.
Attack Surface Reduction
Organizations should enable Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), AppLocker, and App Control for Business alongside Endpoint Detection and Response capabilities. Exchange Server’s built-in anti-spam and anti-malware features should be activated, and organizations should apply Microsoft’s Exchange Server baseline and Windows security baselines.
Migration to Supported Platforms
CISA strongly advises organizations to evaluate cloud-based email services instead of managing complex on-premises infrastructure. For those transitioning to the cloud, CISA recommends adopting configuration baselines from its SCuBA (Secure Cloud Business Applications) program, which provides validated security settings tailored for cloud environments. Organizations maintaining on-premises deployments must migrate to Exchange Server Subscription Edition, the only supported version.
WSUS Response Actions
For the CVE-2025-59287 vulnerability, CISA recommends immediate action to identify susceptible servers and apply Microsoft’s out-of-band security update. Organizations should monitor suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and w3wp.exe. Security teams should also monitor for nested PowerShell processes using base64-encoded PowerShell commands, as attackers have leveraged this technique to harvest sensitive data.
Nick Andersen, Executive Assistant Director for CISA’s Cybersecurity Division, emphasized that “enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems”. The guidance builds upon CISA’s Emergency Directive 25-02 and represents an unprecedented level of international coordination, signaling the severity of threats facing Exchange Server environments.
Fortify Your Server with Messageware Security
Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.
Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.
EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.