Microsoft Releases Security Advisory for Vulnerability CVE-2025-53786 in Exchange Hybrid Deployments
Successful exploitation of CVE-2025-53786 could allow an attacker to escalate privileges within the organisation’s connected cloud environment
Summary
Successful exploitation of CVE-2025-53786 could allow an attacker to escalate privileges within the organisation’s connected cloud environment
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Microsoft has released additional guidance for CVE-2025-53786, which is a privilege escalation vulnerability . Microsoft has identified specific security implications from previous guidance and the corresponding configuration steps from April 2025.
If an attacker could first gain administrative access to an on-premises Exchange server, privileges could be escalated within the organisation's connected cloud environment "without easily leaving a detectable and auditable trace" because Exchange Server and Exchange Online share the same service principal in hybrid configurations.
Microsoft assesses exploitation as more likely
The vulnerability CVE-2025-53786 does not have any known exploitation. However, a security researcher has demonstrated how the shared service principal could be exploited in a post-exploitation attack during annual cyber security conference.
Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, the US Cybersecurity and Infrastructure Security Agency (CISA) has stated it "is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment" and has issued an emergency directive for US-based agencies.
The NHS England National Cyber Security Operations Centre (CSOC) strongly urges organisations with vulnerable instances to apply hot fixes and follow the remediation as soon as possible.
Remediation advice
Affected organisations are strongly encouraged to review the Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability advisory and follow the steps to better protect a hybrid environment.
- In situations with Exchange hybrid, see remediation steps below.
- If you have previously configured Exchange hybrid or OAuth authentication between Exchange Server and your Exchange Online organization but no longer use it, make sure to reset the service principal's keyCredentials.
Remediation steps
| Type | Step |
|---|---|
| Action |
If using Exchange hybrid, review Microsoft’s guidance to determine if Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU). https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786 |
| Patch |
Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server. https://techcommunity.microsoft.com/blog/exchange/released-april-2025-exchange-server-hotfix-updates/4402471 |
| Guidance |
Follow Microsoft’s configuration instructions to deploy a dedicated Exchange hybrid app. https://learn.microsoft.com/en-us/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app |
| Action |
After completing the steps, be sure to reset the service principal's keyCredentials. https://aka.ms/ConfigureExchangeHybridApplication-Docs#service-principal-clean-up-mode |
| Action |
Run the Microsoft Exchange Health Checker to determine if further steps are required. https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ |
Definitive source of threat updates
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
- https://techcommunity.microsoft.com/blog/exchange/exchange-server-security-changes-for-hybrid-deployments/4396833
- https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
Last edited: 8 August 2025 2:51 pm