Microsoft urges admins to plug severe Exchange security hole (CVE-2025-53786)
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft has announced on Wednesday.
The privilege escalation can be performed by exploiting CVE-2025-53786, a newly disclosed vulnerability that stems from Exchange Server and Exchange Online sharing the same service principal – i.e., the Office 365 Exchange Online application – in hybrid configurations. (The app is used to authenticate and secure the communication between Exchange Server and Exchange Online.)
What is an Exchange hybrid deployment?
A hybrid deployment of Microsoft Exchange Server involves a configuration that connects an on-premises Microsoft Exchange Server environment with Exchange Online, the cloud-based version bundled in most Microsoft 365 subscriptions.
At the moment, organizations that rely on such a deployment can still get away with using the Office 365 Exchange Online application, but not for long: starting this month, Microsoft will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal.
“This is a part of a phased strategy to speed up customer adoption of the dedicated Exchange hybrid app and making our customer’s environments more secure,” Microsoft’s Echange Team explains.
The retirement of Exchange Web Services (EWS) in Exchange Online (in favor of the Microsoft Graph API) and the transition from the Office 365 Exchange Online application to a dedicated Exchange hybrid app has been planned by Microsoft for a while.
The company set the process in motion in earlier this year, by releasing hotfix updates for Exchange Server 2019 CU 14 and CU 15, Exchange Server 2016 CU 23, and Exchange Server Subscription Edition RTM, and urging customers to install them on their on-premises Exchange servers.
Following the installation, they had to run a PowerShell script to switch Exchange hybrid from the “shared principal” configuration to the dedicated Exchange hybrid app, and deploy it.
(The final step of the transition includes changing Exchange hybrid to use Graph API calls and updating dedicated app permissions to a more granular Graph permission model, which must be performed by October 2026.)
But, according to the Exchange team, “even though adoption of server versions that support dedicated hybrid app has been good, the number of customers who have created the dedicated app remains very low.”
And that’s why Microsoft has scheduled two- and three-days-long blocks of Exchange Web Services traffic, which will impact customers who have user mailboxes hosted both in Exchange on-premises and Exchange Online, use features shared by those mailboxes, have not updated to one of the hotfix updates released earlier this year, and have not created and/or enabled the dedicated Exchange hybrid app.
“After October 31, 2025, the use of shared service principal will be permanently blocked. The (…) hybrid features will stop working if the dedicated app is not configured,” the company explained.
About CVE-2025-53786
As an added “incentive”, Microsoft has revealed the danger stemming from Exchange Server and Exchange Online sharing the same service principal: attackers can use it to stealthily gain access to the organization’s connected cloud environment.
“Successful exploitation of [CVE-2025-53786] requires an attacker to first gain or possess administrator access on an Exchange Server,” Microsoft noted, but that’s a hurdle that can be overcome by sophisticated and persistent attackers.
Thus, the company advises organizations to:
- Install the hotfix (or newer release) on their on-premises Exchange servers
- Deploy the dedicated Exchange hybrid app
- Reset (i.e., clear the certificates from) the shared service principal’s keyCredentials.
“If you’ve previously configured Exchange hybrid or OAuth authentication between Exchange Server and your Exchange Online organization but no longer use it, make sure to reset the service principal’s keyCredentials,” Microsoft concluded.
CISA chimes in
According to the security advisory, CVE-2025-53786 is not currently exploited. (Though, if it were, would organizations be able to tell since the privilege escalation can be performed by attackers “without leaving [an] easily detectable and auditable trace”?)
Nevertheless, now that this knowledge is out in the open, some attackers may try their hand at exploiting this weakness.
The US Cybersecurity and Infrastructure Security Agency (CISA) has advised organizations to follow Microsoft’s guidelines and to conclude with running the Microsoft Exchange Health Checker to determine if further steps are required.
“CISA highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be discontinued if still in use,” the agency added.
The end of extended support for Exchange 2016 and Exchange 2019 is scheduled for October 14, 2025.
Earlier this year, Microsoft also started pushing organizations to upgrade and regularly patch their on-prem Microsoft Exchange servers if they wanted to use th Exchange Online service to deliver email. The company’s stated goal is to raise the security profile of the Exchange ecosystem in face of a significant increase in the frequency of attacks against Exchange servers in the last few years.
UPDATE (August 8, 2025, 06:20 a.m. ET):
CISA has issued an emergency directive mandating “all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement [mitigations for CVE-2025-53786] by 9:00 AM EDT on Monday, August 11, 2025.”
“While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive,” CISA Acting Director Madhu Gottumukkala advised.
The vulnerability was discovered and reported to Microsoft by Dirk-jan Mollema of Outsider Security, who demonstrated how it can be exploited at Black Hat on Wednesday.
UPDATE (August 9, 2025, 08:25 a.m. ET):
The Shadowserver Foundation’s daily scans revealed over 28,000 unpatched internet-facing MS Exchange instances.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!