Microsoft Warns of High-Severity Flaw in Hybrid Exchange Deployments
Microsoft has issued a security advisory warning customers to mitigate a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to escalate privileges in Exchange Online cloud environments undetected.
Exchange hybrid configurations connect on-premises Exchange servers to Exchange Online, allowing for seamless integration of email and calendar features between on-premises and cloud mailboxes. However, this shared connection also creates a potential vulnerability that can be exploited by attackers.
In an Exchange hybrid deployment, an attacker who gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable trace. This is because actions originating from on-premises Exchange may not generate logs associated with malicious behavior in Microsoft 365.
Microsoft has tagged this vulnerability as CVE-2025-53786, which affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition. While Microsoft has yet to observe in-the-wild exploitation, its analysis revealed that exploit code could be developed to consistently exploit this vulnerability, making it increasingly attractive to attackers.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a separate advisory addressing this issue and advised network defenders who want to secure their Exchange hybrid deployments against potential attacks targeting the CVE-2025-53786 flaw. CISA warned that failing to mitigate this vulnerability could lead to a "hybrid cloud and on-premises total domain compromise" and urged admins to disconnect public-facing servers running end-of-life versions of Exchange Server or SharePoint Server from the internet.
In January, Microsoft also reminded admins that Exchange 2016 and Exchange 2019 will reach their end of extended support in October and shared guidance for those who need to decommission outdated servers. They advised migrating to Exchange Online or upgrading to Exchange Server Subscription Edition (SE) to ensure security and stability.
A Pattern of Exploitation
In recent years, financially motivated and state-sponsored hackers have exploited multiple Exchange security vulnerabilities, including ProxyLogon and ProxyShell zero-days, to breach servers. For example, at least ten hacking groups exploited ProxyLogon in March 2021, including a Chinese-sponsored threat group tracked as Hafnium or Silk Typhoon.
Two years ago, in January 2023, Microsoft also urged customers to apply the latest supported Cumulative Update (CU) and keep their on-premises Exchange servers up to date to ensure they're always ready to deploy emergency security updates. This pattern of exploitation highlights the importance of staying vigilant and proactive in securing Exchange deployments.
A Call to Action
Microsoft is urging customers to take immediate action to secure their hybrid Exchange deployments against this high-severity vulnerability. CISA has also issued a warning, advising network defenders to disconnect public-facing servers running end-of-life versions of Exchange Server or SharePoint Server from the internet.
By taking these steps, organizations can reduce the risk of exploitation and prevent potential breaches. It is essential for admins to stay informed about security vulnerabilities and take proactive measures to secure their Exchange deployments.
A Word on Zero-Day Exploits
The increasing threat of zero-day exploits highlights the importance of staying ahead of emerging threats. Microsoft has increased its Zero Day Quest prize pool to $5 million, offering a significant reward for researchers who can discover and report zero-day vulnerabilities.
CISA has also warned of attackers exploiting Linux flaws with PoC exploit tools, emphasizing the need for organizations to stay vigilant and proactive in securing their Linux deployments.