06.08.2025
2 min
501
Microsoft has warned of a serious vulnerability in hybrid Exchange Server deployments that allows attackers to escalate privileges in Exchange Online without leaving any trace in the audit logs.
In August 2025, Microsoft officially acknowledged the existence of a high-risk vulnerability (CVE-2025-53786) in hybrid Exchange Server configurations. The vulnerability allows attackers who have already gained administrative access to on-premises Exchange to escalate their privileges in the Microsoft 365 cloud environment — without creating any visible traces in the event logs or audit trails.
The vulnerability affects all active versions of Exchange Server, including 2016, 2019, and the new Exchange Server Subscription Edition. Despite the lack of active exploitation in the wild, Microsoft and CISA recommend taking immediate action. CISA emphasizes that the ignored vulnerability could lead to a complete compromise of the domain in a hybrid environment.
To secure the environment, Microsoft recommends:
Install the April (or later) Hotfix Update.
Enable the Exchange Hybrid App and clear the service principal credentials.
Run the Exchange Health Checker to verify the protection status.
Disable public access to legacy Exchange or SharePoint servers.
Hybrid Exchange deployments that are not updated according to Microsoft guidelines pose a serious threat to the security of organizations. The shared service principal between on-premises and cloud services becomes a weak link that can easily be exploited by an attacker. Protection requires not only installing patches, but also a competent reassessment of the architecture of the hybrid environment, including updating configurations and removing outdated access keys. Delay can cost the integrity of your infrastructure.
