Microsoft has released an advisory for a high-severity security flaw affecting on-premise versions of Exchange Server that could allow an attacker to gain elevated privileges under certain conditions.
The vulnerability, tracked as CVE-2025-53786, carries a CVSS score of 8.0. Dirk-jan Mollema with Outsider Security has been acknowledged for reporting the bug.
"In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces," the tech giant said in the alert.
"This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations."
Successful exploitation of the flaw could allow an attacker to escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces, the company added. However, the attack hinges on the threat actor already having administrator access to an Exchange Server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a bulletin of its own, said the vulnerability could impact the identity integrity of an organization's Exchange Online service if left unpatched.
As mitigations, customers are recommended to review Exchange Server security changes for hybrid deployments, install the April 2025 Hot Fix (or newer), and follow the configuration instructions.
"If you've previously configured Exchange hybrid or OAuth authentication between Exchange Server and your Exchange Online organization but no longer use it, make sure to reset the service principal's keyCredentials," Microsoft said.
In a presentation at the Black Hat USA 2025 security conference, Mollema said on-premise versions of Exchange Server have a certificate credential that's used to authenticate to Exchange online and allow OAuth in hybrid scenarios.
These certificates can be leveraged to request Service-to-Service (S2S) actor tokens from Microsoft's Access Control Service (ACS), ultimately providing unfettered access to Exchange Online and SharePoint without any Conditional Access or security checks.
More importantly, these tokens can be used to impersonate any hybrid user within the tenant for a 24-hour period when the "trustedfordelegation" property is set, and leave no logs when they are issued. As mitigations, Microsoft plans to enforce mandatory separation of Exchange on-premises and Exchange Online service principals by October 2025.
The development comes as the Windows maker said it will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal starting this month in an effort to increase the customer adoption of the dedicated Exchange hybrid app and improve the security posture of the hybrid environment.
Microsoft's advisory for CVE-2025-53786 also coincides with CISA's analysis of various malicious artifacts deployed following the exploitation of recently disclosed SharePoint flaws, collectively tracked as ToolShell.
This includes two Base64-encoded DLL binaries and four Active Server Page Extended (ASPX) files that are designed to retrieve machine key settings within an ASP.NET application's configuration and act as a web shell to execute commands and upload files.
"Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint the host system and exfiltrate data," the agency said.
CISA is also urging entities to disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet, not to mention discontinue the use of outdated versions.
CISA Issues Emergency Directive
The U.S. cybersecurity agency, on August 7, 2025, issued an emergency directive (ED 25-02), requiring Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9 a.m. EDT on Monday, August 11, 2025.
"This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance," CISA said.
CISA further noted that immediate mitigation of CVE-2025-53786 is critical and that the issue poses severe risks to organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance
The concerns stem from the fact that an attacker, who has established administrative access on the on-premises Exchange server, could escalate privileges and gain significant control of a victim's Microsoft 365 Exchange Online environment.
(The story was updated after publication to include details of an emergency directive issued by CISA.)
