CISA, Microsoft warn of critical Exchange hybrid flaw CVE-2025-53786

CISA and Microsoft warn of CVE-2025-53786, a high-severity Exchange flaw allowing privilege escalation in hybrid cloud environments.

CISA and Microsoft warn of a high-severity flaw, tracked as CVE-2025-53786, in Exchange hybrid deployments that allows attackers to escalate privileges in cloud setups. Microsoft address the vulnerability in Exchange Server 2016, 2019 and Subscription Edition RTM.

The Tech giant highlights that successful exploitation of this vulnerability requires an attacker to first gain or possess administrator access on an Exchange Server.

“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace.” reads the advisory. “This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.”

Dirk-jan Mollema, researchers with Outsider Security, reported the vulnerability.

Microsoft is not aware of attacks exploiting this vulnerability in the wild.

“CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786
, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations.” reads the alert published by the US CISA. “This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service.”

CISA urges organizations using Microsoft Exchange hybrid deployments to follow Microsoft’s guidance to prevent potential domain compromise, despite no known exploitation of CVE-2025-53786 yet. Key steps include applying the April 2025 hotfix, configuring a dedicated hybrid app, cleaning up service principals if Exchange hybrid is no longer used, and running the Exchange Health Checker. Public-facing EOL versions like SharePoint Server 2013 should be taken offline.

Threat actors frequently exploit Microsoft Exchange Server vulnerabilities. These breaches underscore the persistent risk to Exchange systems and the importance of regular patching and vigilance.

With nearly two dozen vulnerabilities exploited in the wild, it’s clear that Exchange remains a prime targe, even years after patches are issued. Organizations relying on Exchange should stay current with updates and follow CISA and Microsoft security guidance closely to reduce exposure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)