Microsoft on Wednesday informed organizations about a high-severity vulnerability affecting hybrid deployments of Exchange Server.
According to Microsoft, the vulnerability, tracked as CVE-2025-53786, can be exploited by an attacker to escalate privileges.
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft explained. “This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.”
The issue, reported by Dirk-jan Mollema of Outsider Security, has been patched in Exchange Server 2016, 2019 and Subscription Edition RTM.
Microsoft’s advisory indicates that the vulnerability has not been exploited in the wild, but its exploitability assessment is ‘exploitation more likely’.
CISA has also published an alert for CVE-2025-53786, saying that, while Microsoft has not seen any in-the-wild attacks, organizations are strongly urged to implement patches and mitigations “or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise”.
Microsoft on Wednesday also published a blog post to remind customers about recently announced changes to Exchange hybrid environments.
“Starting in August 2025, we will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal (which is by default used by some coexistence features in hybrid scenarios),” the company explained.
It added, “This is a part of a phased strategy to speed up customer adoption of the dedicated Exchange hybrid app and making our customer’s environments more secure.”
It’s not uncommon for threat actors to target Exchange Server instances. CISA’s Known Exploited Vulnerabilities catalog currently includes 17 Exchange flaws exploited since 2018.
Related: Microsoft Paid Out $17 Million in Bug Bounties in Past Year
Related: Trend Micro Warns of Apex One Vulnerabilities Exploited in Wild
Related: Flaws Expose 100 Dell Laptop Models to Implants, Windows Login Bypass
