Administrators with hybrid Exchange Server environments are urged by Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) to quickly plug a high-severity vulnerability or risk system compromise.
Hybrid Exchange deployments offer organizations the ability to extend the user features and admin controls of the on-prem version of Exchange within Microsoft 365. Hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization, Microsoft said.
The benefits include secure mail routing between on-premises and Exchange Online organizations, mail routing with a shared domain namespace (for example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain) and calendar sharing between on-premises and Exchange Online organizations.
To exploit the vulnerability, an attacker has to first gain administrative access to an on-premises Exchange server. From there, however, the vulnerability could allow the hacker to escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces, Microsoft warned in a security update.
“This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations,” the update explained. A service principal is an identity used to control application access and the resources the application accesses.
To protect this hybrid environment, administrators should:
if they haven’t already done so, install the Hot Fix released April 18 — or any newer release — on their on-premises Exchange servers and follow the configuration instructions outlined in the document Deploy dedicated Exchange hybrid app. For additional details, they should refer to Exchange Server Security Changes for Hybrid Deployments;
then reset the service principal’s keyCredentials. That reset should be performed even if they’ve previously configured Exchange hybrid or OAuth authentication between Exchange Server and their Exchange Online organization and no longer use it;
then run the Microsoft Exchange Health Checker to determine whether further steps are required.
CISA also highly recommends that admins disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be disconnected if still in use.
Johannes Ullrich, dean of research at the SANS Institute, noted that this issue only affects organizations that run Exchange on premises in hybrid mode. “Past vulnerabilities and ongoing guidance from Microsoft have motivated many organizations to abandon on-premises Exchange in favor of cloud solutions,” he told CSO in an email. “The number of organizations still running Exchange on premises is getting smaller and smaller.”
In order to exploit the vulnerability, he added, an attacker first must get admin rights on the on-premises Exchange server. “Having an attacker with admin rights is always a bad thing, and I am not sure this vulnerability increases the risk much,” he said. “It makes it easier to pivot into the organization’s cloud presence, but a patient attacker may learn what they need to get access just by observing Exchange traffic.”
The overall lesson, he added, is to move away from Exchange on-premises. “This product has become harder and harder to maintain,” he argued, “and Microsoft’s cloud solutions are an adequate alternative. This vulnerability does not add substantial risk and should not be treated as an emergency. Keeping Exchange patched and configured well is not easy, and must be done with careful testing.”
The vulnerability, CVE-2025-53786, stems from Microsoft’s April 18 release of Exchange Server Security Changes for Hybrid Deployments and the accompanying non-security HotFix, which were intended to improve the security of hybrid Exchange deployments.
Following further investigation, Microsoft said, it identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft also credited the efforts of Dutch researcher Dirk-jan Mollema, head of Outsider Security.
Separately, Exchange admins should also note that, starting this month, Microsoft will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal. By default it is used by some coexistence features in hybrid scenarios. This is a part of a phased strategy to speed up customer adoption of the dedicated Exchange hybrid app, Microsoft said.
More Microsoft security news:
Microsoft hints at revoking access to the Windows kernel — eventually
Project Ire: Microsoft’s autonomous AI agent that can reverse engineer malware
Cybercrooks faked Microsoft OAuth apps for MFA phishing
First-ever zero-click attack targets Microsoft 365 Copilot
End of life for Microsoft Office puts malicious macros in the security spotlight
Microsoft’s incomplete SharePoint patch led to global exploits by China-linked hackers>
>
>
No Responses