Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released alerts regarding a high-severity vulnerability impacting Exchange hybrid deployments that can enable an attacker to elevate privileges in Exchange Online cloud settings without being detected, potentially compromising the identity integrity of a company’s Exchange Online service.
Vulnerability CVE-2025-53786 affects hybrid-joined settings of Exchange Server 2016, 2019, and Microsoft Exchange Server Subscription Version. The vulnerability has an assigned CVSS v3.1 severity rating of 8.0 and is caused by inappropriate authentication. An attacker needs administrative access to an on-site Microsoft Exchange server to exploit the vulnerability.
In hybrid Exchange deployments, the on-site Exchange Server and Exchange Online use a similar service for authenticating on-site and cloud environments. When an attacker seizes the on-site Exchange server, they can exploit credible tokens or API calls. Exchange Online will acknowledge these as legit because the on-site Exchange Server is completely trusted. Because actions coming from the on-site Exchange Server don’t always create records of malicious activity, reviews of Exchange Online might not recognize security breaches that arose in the on-site Exchange Server.
During the notification, no vulnerability exploitation was seen in the wild; nevertheless, exploitation is regarded as more probable, thus organizations with unsecured hybrid Microsoft Exchange environments must make sure they adhere to Microsoft’s mitigation instructions:
- Exchange hybrid users must check the updates in Exchange Server Security for Hybrid Deployments to determine when their deployments are possibly affected and if there’s an available Cumulative Update.
- Use Microsoft April 2025 Exchange Server Hotfix Updates on the on-site Exchange server, and implement Microsoft’s guidance on a dedicated Exchange hybrid application.
- Any company utilizing Exchange hybrid, or previously set up Exchange hybrid yet does not use it any longer, must evaluate Microsoft’s Service Principal Clean-Up Mode, including guidance for rebooting the service Key Credentials. When these actions are done, Microsoft Exchange Health Checker must be run to find out whether more actions are necessary.
- Companies using public-facing types of SharePoint Server or Exchange Server that have hit end-of-life or service must be disconnected from the web, and should not be used any longer.
Microsoft is inviting users to migrate to its Exchange Hybrid application immediately to improve the security of their hybrid environments, and mentioned that beginning in August 2025, Exchange Web Services traffic will be temporarily blocked using the Exchange Online shared support principal to speed up usage of the specialized Exchange hybrid application. System security is part of the HIPAA training provided in healthcare companies using a specialized Exchange hybrid application.