Which versions of Microsoft Exchange Server are affected by CVE-2025-53786?

The affected versions include Microsoft Exchange Server 2016 (all versions in hybrid deployments), Microsoft Exchange Server 2019 (all versions in hybrid deployments), and Microsoft Exchange Server Subscription Edition (all versions in hybrid deployments). Only hybrid deployment configurations are vulnerable to this specific attack.

Which Exchange Server deployments are NOT affected by this vulnerability?

Versions that are not affected include standalone Exchange Server deployments (not configured for hybrid), Exchange Server deployments that have implemented the April 2025 hotfix updates and dedicated hybrid app configuration, and organizations that have completed service principal cleanup and implemented proper security boundaries.

What are the prerequisites for exploiting CVE-2025-53786?

The prerequisite for exploitation is having administrative privileges on the on-premises Exchange Server. Although this requirement is high, these privileges are not impossible to obtain via infostealers, other malware, or phishing attacks. This flaw escalates the risk towards the rest of the enterprise in the cloud environment.

What does CISA recommend organizations do about this Exchange Server vulnerability?

CISA strongly urges organizations to implement Microsoft's Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance, which includes reviewing Microsoft's security guidance, installing April 2025 Exchange Server Hotfix Updates, deploying dedicated Exchange hybrid app configurations, and running cleanup procedures for service principals.

What are the specific steps organizations should take to address CVE-2025-53786?

Organizations should: 1) Review Microsoft's guidance on Exchange Server Security Changes for Hybrid Deployments, 2) Install Microsoft's April 2025 Exchange Server Hotfix Updates and follow configuration instructions for deploying dedicated Exchange hybrid app, 3) For hybrid deployments, review Microsoft's Service Principal Clean-Up Mode guidance for resetting keyCredentials, and 4) Run the Microsoft Exchange Health Checker to determine if further steps are required.

Why is this Exchange Server vulnerability particularly concerning for organizations?

This vulnerability is particularly concerning because it allows attackers to access connected cloud environments without leaving easily detectable and auditable traces. Once attackers gain administrative access to on-premises Exchange servers, they can escalate privileges to compromise the organization's Exchange Online service and broader cloud infrastructure.

What is the danger of the shared service principal in Exchange hybrid deployments?

In hybrid configurations, Exchange Server and Exchange Online share the same service principal, creating a dangerous trust relationship. This shared identity model means that compromise of the on-premises Exchange server can directly impact the security and integrity of the connected cloud Exchange Online service.

Should organizations that previously used Exchange hybrid but no longer use it be concerned?

Yes, organizations that have previously configured Exchange hybrid but no longer use it should still review Microsoft's Service Principal Clean-Up Mode guidance for resetting the service principal's keyCredentials. Past hybrid configurations may still leave vulnerable trust relationships that need to be properly cleaned up.

Advisory

CISA and Microsoft warn of an Exchange Server Hybrid flaw enabling attackers to compromise the Cloud instance

Q: What is CVE-2025-53786 and how serious is this Exchange Server vulnerability?

CVE-2025-53786 is a security vulnerability in Exchange Server hybrid deployments with a CVSS score of 8.0. CISA and Microsoft are warning that this flaw allows authenticated attackers with administrative access to on-premises Microsoft Exchange servers to escalate privileges within connected cloud environments, potentially compromising the identity integrity of an organization's Exchange Online service.

Q: How does the Exchange Server hybrid deployment vulnerability work?

The vulnerability stems from Exchange Server and Exchange Online sharing the same service principal in hybrid configurations. This creates a dangerous trust relationship that attackers can exploit. Successful exploitation allows attackers to access the organization's connected cloud environment without leaving easily detectable and auditable traces.

published: Aug. 7, 2025

Take action: If you run Exchange Server in hybrid mode with cloud services, plan an install Microsoft's April 2025 hotfix updates and follow their dedicated hybrid app configuration guidance. Yes, the exploit requires admin privileges on the on-prem server. Yes, someone will get those given enough time. So don't give them the time.

Learn More

CISA and Microsoft are warning of a security vulnerability in Exchange Server hybrid deployments that allows authenticated attackers with administrative access to on-premises Microsoft Exchange servers to escalate privileges within connected cloud environments, potentially compromising the identity integrity of an organization's Exchange Online service.

The vulnerability is tracked as CVE-2025-53786 (CVSS score 8.0) and stems from Exchange Server and Exchange Online sharing the same service principal in hybrid configurations. This creates a dangerous trust relationship that attackers can exploit Successful exploitation allows attackers to access the organization's connected cloud environment without leaving easily detectable and auditable traces.

Affected Versions:

Microsoft Exchange Server 2016 (all versions in hybrid deployments)
Microsoft Exchange Server 2019 (all versions in hybrid deployments)
Microsoft Exchange Server Subscription Edition (all versions in hybrid deployments)

Versions that are not affected:

Standalone Exchange Server deployments (not configured for hybrid)
Exchange Server deployments that have implemented the April 2025 hotfix updates and dedicated hybrid app configuration
Organizations that have completed service principal cleanup and implemented proper security boundaries

Although the prerequisite for exploitation is high - to have administrative privileges - they are not impossible to obtain via infostealers, other malware or phishing. This flaw escalates the risk towards the rest of the enterprise in the cloud.

CISA strongly urges organizations to implement Microsoft's Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance:

Review Microsoft’s guidance Exchange Server Security Changes for Hybrid Deployments
Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and follow Microsoft’s configuration instructions Deploy dedicated Exchange hybrid app
For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft's Service Principal Clean-Up Mode for guidance on resetting the service principal’s keyCredentials.
Run the Microsoft Exchange Health Checker to determine if further steps are required.

CISA and Microsoft warn of an Exchange Server Hybrid flaw enabling attackers to compromise the Cloud instance

Read More
Multiple security flaws reported in Versa Concerto platform, …
QNAP Patches Muliple Flaws in NAS Operating Systems, …
Critical SQL injection vulnerabilities reported in Fortra FileCatalyst …
Cacti Network Monitoring Tool fixes multiple vulnerabilities, two …
Massive ransomware attack targets 22K CyberPanel instances