Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

New Critical Vulnerability Discovered in Microsoft Exchange Server: CISA Warns

Redazione RHC : 7 August 2025 07:56

A critical security flaw has been discovered in hybrid deployments of Microsoft Exchange Server. This vulnerability (CWE-287) allows attackers with local administrative access to escalate their privileges within cloud environments.

Although the complexity of the attack is considered high, attackers must first have administrative access to an Exchange server. However, once this prerequisite is met, the vulnerability classification indicates that exploitation can affect resources other than those of the initially compromised component

This is CVE-2025-53786, which was officially documented by Microsoft on August 6, 2025, following a researcher’s demonstration at the Black Hat cybersecurity conference.

Security researcher Dirk-Jan Mollema of Outsider Security presented detailed exploitation techniques at Black Hat 2025, demonstrating how attackers can exploit this configuration to change user passwords, convert cloud users to hybrid users, and impersonate hybrid users.

The vulnerability stems from Microsoft’s Exchange hybrid deployment architecture, which traditionally used a shared service principle between on-premises Exchange servers and Exchange Online for authentication.

“These tokens are essentially valid for 24 hours. You can’t revoke them. So if someone has them, there’s absolutely nothing you can do defensively,” Mollema explained during his presentation.

The vulnerability exploits special access tokens used for Exchange server communication with Microsoft 365, which can’t be revoked once stolen, giving attackers up to 24 hours of uncontrolled access. The Cybersecurity and Infrastructure Security Agency (CISA) has assessed this vulnerability as high severity, with significant implications for enterprise security.

Affected ProductAffected Build
Microsoft Exchange Server Cumulative Update 15 201915.02.1748.024
Microsoft Exchange Server 2019 Cumulative Update 1415.02.1544.025
Microsoft Exchange Server 2016 Cumulative Update 2315.01.2507.055
Microsoft Exchange Server RTM Subscription Edition15.02.2562.017

According to the CISA advisory, the vulnerability “allows an attacker with administrative access to a Microsoft Exchange Server “local privilege escalation by exploiting vulnerable hybrid configurations.” If left unchecked, this flaw could impact the integrity of an organization’s Exchange Online service identity.

The official Microsoft documentation explains that Exchange Server previously used “a shared core service with the same Exchange Online application” for hybrid features such as calendar sharing and user profile pictures. The vulnerability enables sophisticated attack scenarios in which adversaries with initial administrative access to on-premises Exchange servers can escalate privileges within connected cloud environments.

This makes it particularly dangerous for organizations with hybrid Exchange deployments, as a single compromised on-premises server could provide extensive cloud access.

Microsoft stated that no exploitation of the vulnerability had been observed as of the announcement date, although security researchers have demonstrated proof-of-concept attacks.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli