- Microsoft finds high-severity flaw in hybrid Exchange instances
- Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition
- A hotfix is available, so users should update now
Microsoft has urged its customers to be on high alert after discovering a dangerous vulnerability in hybrid Exchange deployments.
Microsoft describes the issue as an “improper authentication” bug, tracked as CVE-2025-53786 with a severity score of 8.0/10 (high). Threat actors with admin access to an on-prem Exchange Server can use the vulnerability to escalate privileges into the connected Exchange Online environment due to trust flaws in shared service principal configurations.
Matters could be even worse as activity from on-prem Exchange doesn’t always generate logs associated with malicious behavior in Microsoft 365, which could result in cyberattacks not being spotted via cloud-based auditing.
“Publicly available business information”
A hybrid Microsoft Exchange deployment combines on-premises Exchange servers with Exchange Online in Microsoft 365, allowing them to work together as one system. It lets organizations support seamless email, calendar, and contact sharing across both environments.
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft said.
Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition.
Even though there is no evidence of abuse in the wild yet, Microsoft has urged its customers to apply April 2025 hotfixes, transition to the dedicated Exchange Hybrid app, and reset the shared service principal’s credentials to mitigate the risk.
At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory, urging IT teams to, besides the hotfix, review Microsoft’s Service Principal Clean-Up Mode and then run the Microsoft Exchange Health Checker.
Failing to do so could result in “hybrid cloud and on-premises total domain compromise,” CISA warned.
Via BleepingComputer