Microsoft urges users to be on alert following high-severity flaw in hybrid Exchange deployments

Microsoft finds high-severity flaw in hybrid Exchange instances
Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition
A hotfix is available, so users should update now

Microsoft has urged its customers to be on high alert after discovering a dangerous vulnerability in hybrid Exchange deployments.

Microsoft describes the issue as an “improper authentication” bug, tracked as CVE-2025-53786 with a severity score of 8.0/10 (high). Threat actors with admin access to an on-prem Exchange Server can use the vulnerability to escalate privileges into the connected Exchange Online environment due to trust flaws in shared service principal configurations.

Matters could be even worse as activity from on-prem Exchange doesn’t always generate logs associated with malicious behavior in Microsoft 365, which could result in cyberattacks not being spotted via cloud-based auditing.

“Publicly available business information”

A hybrid Microsoft Exchange deployment combines on-premises Exchange servers with Exchange Online in Microsoft 365, allowing them to work together as one system. It lets organizations support seamless email, calendar, and contact sharing across both environments.

“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft said.

Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition.

Even though there is no evidence of abuse in the wild yet, Microsoft has urged its customers to apply April 2025 hotfixes, transition to the dedicated Exchange Hybrid app, and reset the shared service principal’s credentials to mitigate the risk.

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory, urging IT teams to, besides the hotfix, review Microsoft’s Service Principal Clean-Up Mode and then run the Microsoft Exchange Health Checker.

Failing to do so could result in “hybrid cloud and on-premises total domain compromise,” CISA warned.

Via BleepingComputer

What's Hot

My Health Anxiety Means I Won’t Use Apple’s or Samsung’s Smartwatches. Here’s Why

You can now buy the OnePlus 15 in the US and score free earbuds if you hurry

Today’s NYT Connections: Sports Edition Hints, Answers for Dec. 22 #455

TikTok Signs Agreements With US Investors. What’s Next for Creators and Users?

Microsoft makes theming your Windows 11 PC as easy as phones, but not as much fun

How Nissan took a shortcut to a good plug-in hybrid SUV

NYT Strands hints and answers for Monday, August 11 (game #526)

These 2 Cities Are Pushing Back on Data Centers. Here’s What They’re Worried About

Today’s NYT Connections: Sports Edition Hints, Answers for Sept. 4 #346

Most Popular

Best Fitbit fitness trackers and watches in 2025

There are still 200+ Prime Day 2025 deals you can get

The best earbuds we’ve tested for 2025

Our Picks