Microsoft and the feds late Wednesday sounded the alarm on another high-severity bug in Exchange Server hybrid deployments that could allow attackers to escalate privileges from on-premises Exchange to the cloud.
While this latest security flaw, tracked as CVE-2025-53786, isn’t under attack (yet), Microsoft deems “exploitation more likely,” and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the CVE can lead to “hybrid cloud and on-premises total domain compromise.”
“All organizations are strongly encouraged to implement Microsoft guidance to reduce risk,” CISA Acting Executive Assistant Director Chris Butera said.
CISA on Thursday issued an emergency response directive mandating government agencies fix the issue by August 11.
Exchange — Microsoft’s suite of business email, calendar, and collab tools — has previously been penetrated by both Russian and Chinese spies, including Beijing’s Salt Typhoon.
An earlier 2023 Exchange intrusion gave China’s Storm-0558 access to about 60,000 State Department emails and prompted the Cyber Safety Review Board investigation into Microsoft’s security failings, which the CSRB attributed to a “cascade of avoidable errors.”
In other words: this vulnerability is serious, and very likely to be abused by government goons or financially motivated miscreants very soon. Patch now.
CVE-2025-53786 is an elevation of privilege bug that Outsider Security’s Dirk-jan Mollema reported to Microsoft. It exists because of the way hybrid Exchange deployments, which connect on-premises Exchange servers to Exchange Online, use a shared identity to authenticate users between the two environments.
Redmond made some changes to these hybrid deployments back in April, intended to improve the security on-prem and cloud-hosted Exchange.
However, “following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement,” the Windows giant admitted. CVE-2025-53786 documents “a vulnerability that is addressed by taking the steps” in the April 18 hybrid Exchange announcement.
The good news: to exploit the vulnerability, an attacker would already need to have administrative access to an on-premises Exchange server. But assuming that they did, they could then “escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces,” Redmond explained in its security update.
To address this bug, anyone using Exchange hybrid should install the April Hotfix (or newer release) on on-premises Exchange servers and follow the configuration instructions outlined in Microsoft’s dedicated Exchange hybrid app guidance.
After completing these steps, users also need to reset the service principal’s keyCredentials.
The Exchange bug and fix follows Microsoft’s SharePoint security snafu last month, which has since been exploited by Chinese spies, data thieves, and ransomware gangs. ®
Source link
