Warning Issued About High-severity Flaw Affecting Microsoft Exchange Hybrid Deployments
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have issued warnings about a high-severity flaw affecting Exchange hybrid deployments that could allow an attacker to escalate privileges in Exchange Online cloud environments undetected, potentially impacting the identity integrity of an organization’s Exchange Online service.
The vulnerability is tracked as CVE-2025-53786 and affects hybrid-joined configurations of Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition. The vulnerability has a CVSS v3.1 severity score of 8.0 and is due to improper authentication. The vulnerability can be exploited by an attacker with administrative access to an on-premise Microsoft Exchange server.
In hybrid Exchange deployments, the on-premise Exchange Server and Exchange Online share the same service principal, which is used for authentication between the on-premise and cloud environments. If an attacker controls the on-premise Exchange server, they can potentially manipulate trusted tokens or API calls. Exchange Online will accept these as legitimate since the on-premise Exchange Server is implicitly trusted. Since actions originating from the on-premise Exchange Server do not always generate logs of malicious activity, audits of Exchange Online may not identify security breaches that originated in the on-premise Exchange Server.
At the time of the alert, no exploitation of the flaw has been observed in the wild; however, exploitation is considered “more likely”, so organizations with vulnerable hybrid Microsoft Exchange environments should ensure they follow Microsoft’s mitigation guidance:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Exchange hybrid users should review the Exchange Server Security Changes for Hybrid Deployments guidance to determine if their deployments are potentially affected and if there is a Cumulative Update available.
Microsoft April 2025 Exchange Server Hotfix Updates should be applied to the on-premise Exchange server, and Microsoft’s guidance on deploying a dedicated Exchange hybrid app should be followed.
Any organization using Exchange hybrid, or that has previously configured Exchange hybrid but no longer uses it, should review Microsoft’s Service Principal Clean-Up Mode, which includes guidance for resetting the service principal’s keyCredentials. When these steps have been completed, Microsoft Exchange Health Checker should be run to determine if any further actions are required.
Organizations with public-facing versions of Exchange Server or SharePoint Server that have reached end-of-life or end-of-service should be disconnected from the public Internet, and use should be discontinued.
Microsoft is encouraging customers to migrate to its Exchange Hybrid app as soon as possible to enhance the security of their hybrid environments, and said, “Starting in August 2025, we will begin temporarily blocking Exchange Web Services traffic using the Exchange Online shared service principal” to accelerate adoption of the dedicated Exchange hybrid app.
