CISA Issues Security Warnings For Exchange Server, VMware

Agencies issue advice about securing on-prem Exchange, and add a high-risk VMware bug to the KEV catalogue

The Cybersecurity and Infrastructure Security Agency and the National Security Agency have issued critical advice to users of Microsoft and VMware by Broadcom products to mitigate vulnerabilities.

CISA and the NSA released guidance to operators of on-premises Microsoft Exchange Server in the wake of numerous recent attacks that have targeted unpatched or misconfigured instances in recent months.

On-premises Exchange Server is a popular target for nation state and criminal hackers, both because it handles sensitive information and can be a stepping-stone for infiltrating connected systems.

Unlike cloud-based instances, in-house Exchange servers are frequently misconfigured or lack the latest security updates. Computing reported recently that more than 29,000 internet-connected Microsoft Exchange servers were vulnerable to a high-severity security flaw - despite a patch being available for months.

According to Nick Andersen, executive assistant director at CISA's cybersecurity division, the latest advice, "empowers organizations to proactively mitigate threats, protect enterprise assets and ensure the resilience of their operations."

The guidance includes recommendations to proactively patch unsupported Exchange servers, retire legacy systems, harden authentication and improve encryption.

The agencies also recommend that admins activate Microsoft's Emergency Mitigation Service to protect against attacks on known vulnerabilities in Exchange Server, as well as enabling other built-in protections from Microsoft or third-party vendors, working towards a zero-trust security model.

VMware Flaw Added To KEV Catalogue

CISA also added a high-severity VMware vulnerability, reported to be under active attack, to its Known Exploited Vulnerabilities (KEV) catalogue.

CVE-2025-41244 (severity rating 7.8, high) is a bug affecting Broadcom VMware Aria Operations and VMware Tools.

The vulnerability could allow a malicious local actor with non-administrative privileges to gain access to a virtual machine (VM) with VMware Tools installed and managed by Aria Operations. Once in, they could gain root privileges on the VM.

A patch for the glitch was released by Broadcom last month, but the vulnerability has reportedly been expolited by Chinese hacking group UNC5174 since last October.

According to CISA’s rules, U.S. federal agencies now have three weeks to ensure affected systems are patched.

This article originally appeared on MES Computing’s sister site Computing.