The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), alongside international partners from Australia and Canada, have released crucial guidance aimed at hardening on-premise Microsoft Exchange Server instances to prevent potential exploitation. Malicious activity targeting these servers remains a persistent threat, with unsecure or misconfigured instances being the most vulnerable. Organizations are strongly advised to decommission any end-of-life on-premises or hybrid Exchange servers after successfully transitioning their operations to Microsoft 365. This proactive approach, coupled with best practices like enforcing strict transport security and adopting a zero trust (ZT) security model, is essential for significantly bolstering defenses against evolving cyber threats.
Key best practices outlined by the agencies include maintaining a rigorous security updates and patching cadence, applying and maintaining Exchange Server and Windows security baselines, and ensuring the Exchange Emergency Mitigation Service remains enabled. Furthermore, organizations should enable robust security features such as antivirus solutions, Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), and Endpoint Detection and Response. The agencies stress that continuously evaluating and hardening the cybersecurity posture of these communication servers is paramount to maintaining the integrity and confidentiality of enterprise communications and functions.
Specific security enhancements focus on restricting access and hardening authentication. This involves applying the principle of least privilege and restricting administrative access to the Exchange Admin Center (EAC) and remote PowerShell. To strengthen authentication and encryption, organizations should configure Transport Layer Security (TLS), HTTP Strict Transport Security (HSTS), and Extended Protection (EP), while utilizing Kerberos and Server Message Block (SMB) instead of NTLM, and implementing multi-factor authentication. Disabling remote PowerShell access for regular users in the Exchange Management Shell (EMS) is another critical measure to reduce the attack surface.
This Exchange guidance follows closely on the heels of CISA updating an alert concerning CVE-2025-59287, a security flaw in the Windows Server Update Services (WSUS) component that allows for remote code execution. CISA recommends that organizations immediately identify susceptible servers, apply the out-of-band security update released by Microsoft, and actively investigate potential signs of threat activity on their networks. This includes monitoring and vetting suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe, as well as carefully checking for nested PowerShell processes that use base64-encoded commands.
Reports from security firms like Sophos indicate that threat actors are already exploiting the WSUS vulnerability to harvest sensitive data from various U.S. organizations across multiple sectors, including universities, technology, and healthcare. Attackers have been observed using vulnerable WSUS servers to execute Base64-encoded PowerShell commands and exfiltrate the collected results to external endpoints. Experts warn that this rapid exploitation, first detected just a day after Microsoft issued the update, suggests that attackers are moving quickly and potentially analyzing the gathered data for follow-on intrusions. Therefore, defenders must treat this as an early warning and ensure their systems are fully patched and WSUS servers are securely configured to mitigate the risk of successful exploitation, which some research suggests may involve an alternate attack chain using the Microsoft Management Console binary (mmc.exe).
Reference:
