Redazione RHC : 13 August 2025 08:53
29,000 Exchange servers are vulnerable to CVE-2025-53786, which allows attackers to move within Microsoft cloud environments, potentially leading to complete domain compromise.
CVE-2025-53786 allows attackers who have already gained administrative access to on-premises Exchange servers to escalate privileges in an organization’s connected cloud environment by forging or manipulating trusted tokens and AP requests. This attack leaves virtually no trace, making it difficult to detect.
The vulnerability affects Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition in hybrid configurations.
The vulnerability is related to changes made in April 2025, when Microsoft released guidelines and a hotfix for Exchange as part of the Secure Future Initiative. At that time, the company moved to a new architecture with a separate hybrid application that replaced the insecure shared identity previously used by on-premises Exchange servers and Exchange Online.
Researchers later discovered that this scheme left open the possibility of malicious attacks. At the Black Hat conference, Outsider Security demonstrated a similar post-exploit attack.
“I initially didn’t consider this a vulnerability because the protocol used for these attacks was designed with the characteristics discussed in the report in mind and simply lacked important security controls,” he says. Dirk-Jan Mollema of Outsider Security.
Although Microsoft experts have not found any signs of exploitation of the issue in real attacks, the vulnerability has been marked as “Exploitation Most Likely,” meaning that the company expects exploits to appear soon.
As Shadowserver analysts warn, there are 29,098 Exchange servers on the network that have not received the patches. As a result, more than 7,200 IP addresses were found in the United States, over 6,700 in Germany, and more than 2,500 in Russia.
The day after the issue was disclosed, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering all federal agencies (including the Treasury and Energy departments) to urgently address the threat.
In a security bulletin, CISA representatives emphasized that failure to fix CVE-2025-53786 could lead to “complete compromise of a hybrid cloud and on-premises domain.”
As Mollema explained, Microsoft Exchange users who have already installed the aforementioned hotfix and followed the company’s April recommendations should be protected from the new issue. However, those who have not yet implemented protections are still at risk and should install the hotfix and also follow Microsoft’s guidance ( 1 , 2 ) on implementing a separate Exchange hybrid app.
“In this case, simply applying a patch is not sufficient; additional manual steps are required to migrate to a dedicated core service,” Mollema explained. “The urgency from a security perspective is driven by the importance for administrators to isolate on-premises Exchange resources from those hosted in the cloud. In the old configuration, the hybrid Exchange system had full access to all Exchange Online and SharePoint resources.”
The specialist also emphasized once again that exploitation of CVE-2025-53786 occurs post-compromise, meaning the attacker must first compromise the on-premises environment or Exchange servers and have administrator privileges.
Redazione