Microsoft urges users to be on alert following high-severity flaw in hybrid Exchange deployments

News
By published

Security bug allowed hackers to move from on-prem to the cloud

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • Microsoft finds high-severity flaw in hybrid Exchange instances
  • Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition
  • A hotfix is available, so users should update now

Microsoft has urged its customers to be on high alert after discovering a dangerous vulnerability in hybrid Exchange deployments.

Microsoft describes the issue as an “improper authentication” bug, tracked as CVE-2025-53786 with a severity score of 8.0/10 (high). Threat actors with admin access to an on-prem Exchange Server can use the vulnerability to escalate privileges into the connected Exchange Online environment due to trust flaws in shared service principal configurations.

Matters could be even worse as activity from on-prem Exchange doesn’t always generate logs associated with malicious behavior in Microsoft 365, which could result in cyberattacks not being spotted via cloud-based auditing.

"Publicly available business information"

A hybrid Microsoft Exchange deployment combines on-premises Exchange servers with Exchange Online in Microsoft 365, allowing them to work together as one system. It lets organizations support seamless email, calendar, and contact sharing across both environments.

"In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable trace," Microsoft said.

Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition.

Even though there is no evidence of abuse in the wild yet, Microsoft has urged its customers to apply April 2025 hotfixes, transition to the dedicated Exchange Hybrid app, and reset the shared service principal’s credentials to mitigate the risk.

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory, urging IT teams to, besides the hotfix, review Microsoft's Service Principal Clean-Up Mode and then run the Microsoft Exchange Health Checker.

Failing to do so could result in “hybrid cloud and on-premises total domain compromise," CISA warned.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.