Warning: Microsoft Releases Guidance on Critical Vulnerability in Microsoft Exchange Server - Hybrid Exchange Deployments, Patch Immediately!

Image
Decorative image
Veröffentlicht : 07/08/2025
  • Last update: 07/08/2025
  • Affected software:
    → Microsoft Exchange Server in Hybrid Exchange Deployments
  • Type: Elevation of Privilege
  • CVE/CVSS
    → CVE-2025-53786: CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

Sources

Microsoft- https://techcommunity.microsoft.com/blog/exchange/dedicated-hybrid-app-temporary-enforcements-new-hcw-and-possible-hybrid-function/4440682

Risks

CVE-2025-53786 is a high-severity vulnerability affecting Microsoft Exchange hybrid environments. It allows an attacker with administrative access to an on-premises Exchange Server to escalate privileges into the connected Exchange Online environment. The vulnerability can impact the confidentiality, integrity, and availability of affected systems.

The escalation of privileges can occur without triggering standard cloud audit logs, making detection difficult. Microsoft has rated the vulnerability with a CVSS score of 8.0 and strongly recommends that organisations take immediate action to mitigate the risk. There is no active exploitation observed yet.

Description

CVE-2025-53786 is a high-severity vulnerability in Microsoft Exchange hybrid environments that stems from the use of a shared service principal between on-premises Exchange Servers and Exchange Online. This shared identity model allows certain hybrid features such as free/busy calendar lookups, MailTips, and profile picture sharing, but also introduces a risk. If an attacker compromises the on-premises Exchange Server, they could leverage the shared service principal to escalate privileges within the organisation’s connected cloud environment without leaving easily detectable and auditable traces. This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.

Successful exploitation of this vulnerability requires an attacker first to gain or possess administrator access on an Exchange Server.

To address this risk, Microsoft is phasing out the use of the shared service principal. Beginning in August 2025, temporary blocks on Exchange Web Services (EWS) traffic using the shared principal will be enforced, leading up to a permanent block after October 31, 2025. Organisations must transition to the dedicated Exchange Hybrid Application and update their Exchange servers to supported versions to maintain hybrid functionality and eliminate this security exposure.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends following Microsoft’s guidance on mitigating the vulnerability:

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion. Trend Micro advised to review remote access to critical systems and ensure policies and perimeter security are up-to-date.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

Microsoft - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
CISA - https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments