Microsoft and CISA Warn of High-Severity Exchange Hybrid Flaw

by Justin Erickson

Microsoft has disclosed CVE-2025-53786, a privilege-escalation flaw that affects Exchange Server 2016, 2019, and Subscription Edition when they are linked to Exchange Online. Because the on-premises server and the cloud tenant share the same service principal, an attacker who first gains authentication and admin rights on the local server can forge trusted tokens or API calls that will be deemed legitimate by the cloud side and operate in the cloud without leaving easily detectable audit trails. Microsoft rates the chance of exploitation as “more likely,” though no in-the-wild attacks are currently known. CISA issued a companion alert warning that unpatched systems risk “total domain compromise.” Admins should install the April 2025 (or newer) hotfix, create the dedicated Exchange hybrid app, and then reset the service-principal key credentials. Microsoft will start blocking Exchange Web Services traffic that uses the same service principal this month and encourage those using it to adopt the dedicated Exchange hybrid app, and they will be permanently blocked after October.