Organizations operating hybrid Microsoft Exchange deployments have been alerted to a critical security vulnerability that could allow attackers to escalate privileges across cloud environments.

Tracked as CVE-2025-53786, the flaw was disclosed by Microsoft and highlighted in a recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA). While there is currently no evidence of active exploitation, the risk is classified as “exploitation more likely,” prompting strong recommendations for immediate patching.

The Risk in Hybrid Exchange Setups

This vulnerability specifically affects Exchange hybrid configurations, where on-premises Exchange servers are connected to Microsoft’s cloud-based Exchange Online.

According to Microsoft, if an attacker gains administrative access to an on-premises Exchange server, they could use that access to escalate privileges within the cloud environment. This escalation could occur without triggering typical detection or audit logs—posing a significant security threat.

The root of the issue lies in the fact that Exchange Server and Exchange Online share the same service principal in hybrid deployments. This shared identity allows for certain coexistence features but also introduces the risk of cross-environment compromise.

Patches and Mitigations Available

The vulnerability was responsibly disclosed by Dirk-jan Mollema of Outsider Security and has now been patched in supported versions:

• Exchange Server 2016
• Exchange Server 2019
• Exchange Server Subscription Edition RTM

Both Microsoft and CISA urge IT administrators and security teams to immediately apply the updates and review their Exchange hybrid configurations to ensure defenses are up-to-date.

Strategic Changes to Hybrid Exchange Coming Soon

In parallel with the vulnerability disclosure, Microsoft also reminded customers of upcoming changes to Exchange Online hybrid environments. Starting in August 2025, Microsoft will temporarily block Exchange Web Services (EWS) traffic using the shared service principal, a move designed to encourage organizations to adopt the dedicated Exchange hybrid app.

This shift is part of a phased strategy to strengthen security in hybrid Exchange environments by reducing dependency on shared identity mechanisms and enforcing better segmentation between cloud and on-premises resources.

Why It Matters

This advisory underscores the ongoing risks posed by hybrid infrastructure, where legacy systems and cloud services intersect. While hybrid models offer operational flexibility, they also introduce complex security dependencies that threat actors can exploit.

With 17 Exchange Server vulnerabilities already listed in CISA’s Known Exploited Vulnerabilities catalog since 2018, proactive patching and security hardening are more critical than ever.

Final Thoughts

Organizations leveraging Microsoft Exchange in hybrid mode should prioritize:

• Immediate patching of vulnerable instances
• Reviewing service principal permissions
• Adopting Microsoft’s new hybrid app strategy

The window for preemptive action is now. Delaying updates could expose your cloud and on-prem infrastructure to a total domain compromise.

Source: https://www.securityweek.com/organizations-warned-of-vulnerability-in-microsoft-exchange-hybrid-deployment