Redazione RHC : 7 August 2025 07:56
A critical security flaw has been discovered in hybrid deployments of Microsoft Exchange Server. This vulnerability (CWE-287) allows attackers with local administrative access to escalate their privileges within cloud environments.
Although the complexity of the attack is considered high, attackers must first have administrative access to an Exchange server. However, once this prerequisite is met, the vulnerability classification indicates that exploitation can affect resources other than those of the initially compromised component
This is CVE-2025-53786, which was officially documented by Microsoft on August 6, 2025, following a researcher’s demonstration at the Black Hat cybersecurity conference.
Security researcher Dirk-Jan Mollema of Outsider Security presented detailed exploitation techniques at Black Hat 2025, demonstrating how attackers can exploit this configuration to change user passwords, convert cloud users to hybrid users, and impersonate hybrid users.
The vulnerability stems from Microsoft’s Exchange hybrid deployment architecture, which traditionally used a shared service principle between on-premises Exchange servers and Exchange Online for authentication.
“These tokens are essentially valid for 24 hours. You can’t revoke them. So if someone has them, there’s absolutely nothing you can do defensively,” Mollema explained during his presentation.
The vulnerability exploits special access tokens used for Exchange server communication with Microsoft 365, which can’t be revoked once stolen, giving attackers up to 24 hours of uncontrolled access. The Cybersecurity and Infrastructure Security Agency (CISA) has assessed this vulnerability as high severity, with significant implications for enterprise security.
| Affected Product | Affected Build |
|---|---|
| Microsoft Exchange Server Cumulative Update 15 2019 | 15.02.1748.024 |
| Microsoft Exchange Server 2019 Cumulative Update 14 | 15.02.1544.025 |
| Microsoft Exchange Server 2016 Cumulative Update 23 | 15.01.2507.055 |
| Microsoft Exchange Server RTM Subscription Edition | 15.02.2562.017 |
According to the CISA advisory, the vulnerability “allows an attacker with administrative access to a Microsoft Exchange Server “local privilege escalation by exploiting vulnerable hybrid configurations.” If left unchecked, this flaw could impact the integrity of an organization’s Exchange Online service identity.
The official Microsoft documentation explains that Exchange Server previously used “a shared core service with the same Exchange Online application” for hybrid features such as calendar sharing and user profile pictures. The vulnerability enables sophisticated attack scenarios in which adversaries with initial administrative access to on-premises Exchange servers can escalate privileges within connected cloud environments.
This makes it particularly dangerous for organizations with hybrid Exchange deployments, as a single compromised on-premises server could provide extensive cloud access.
Microsoft stated that no exploitation of the vulnerability had been observed as of the announcement date, although security researchers have demonstrated proof-of-concept attacks.
Redazione