Microsoft has issued a high-severity security warning about a critical vulnerability affecting on-premise Exchange Servers used in hybrid cloud setups. The flaw, identified as CVE-2025-53786, has a CVSS severity score of 8.0, making it a serious threat if left unpatched.
Discovered by Dirk-jan Mollema from Outsider Security, this vulnerability allows an attacker who already has administrator access to an on-premise Exchange Server to gain privileged access to connected Exchange Online (cloud-based) services — without being easily detected.
In hybrid environments where organizations use both on-premise Exchange Servers and Microsoft’s cloud-based Exchange Online, both systems share the same service principal. This shared identity creates a risk: if an attacker gains control of the on-premise Exchange Server, they may be able to use that trust relationship to escalate their privileges in the cloud environment.
According to Microsoft, “This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.”
This means that once the on-premise server is compromised, the attacker can access the Exchange Online cloud service silently, without leaving easily trackable logs or alerts. While the vulnerability does not allow attackers to breach the system directly, it can be exploited by threat actors who already have elevated permissions.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued a bulletin about the flaw. The agency warns that if not patched, the bug could compromise the identity integrity of an organization’s Exchange Online service. In simpler terms, attackers could impersonate trusted services or users within the Microsoft cloud.
CISA strongly recommends that all organizations review their Exchange Server configurations — especially if they are running hybrid setups — and apply the necessary security patches and configuration changes.
To protect against this vulnerability, Microsoft has advised the following steps:
Install the April 2025 Hot Fix or Newer: This update includes necessary changes to secure hybrid Exchange deployments.
Review Hybrid Configuration: Organizations should verify that their Exchange hybrid setup follows Microsoft’s updated security guidelines.
Reset Unused Service Principals: If you’ve previously configured hybrid or OAuth authentication between Exchange Server and Exchange Online but no longer use it, reset the
keyCredentialsof the shared service principal.
These steps are essential to prevent unauthorized access to Exchange Online through compromised on-premise servers.
As part of a broader security initiative, Microsoft also announced that starting this month, it will temporarily block Exchange Web Services (EWS) traffic that uses the shared Exchange Online service principal. This change is aimed at encouraging customers to move to the dedicated Exchange Hybrid app, which offers better security and identity management.
This move will help reduce the attack surface and ensure that only authenticated and approved applications can interact with Exchange Online in hybrid environments.
In a related development, CISA analyzed malicious activity involving the exploitation of vulnerabilities in Microsoft SharePoint, tracked under the ToolShell campaign. The agency identified:
Two Base64-encoded DLL files
Four ASPX web shell files
These components were designed to extract sensitive cryptographic keys and execute Base64-encoded PowerShell commands to fingerprint systems and exfiltrate data.
Such techniques show how attackers are increasingly targeting identity-based access and configuration settings, which can lead to a full-scale cloud compromise if not addressed in time.
Organizations that use Exchange Server in a hybrid setup should take the following steps immediately:
Patch all on-premise Exchange Servers with the April 2025 update or newer.
Audit hybrid configurations for any misconfigurations or unused service principals.
Use separate service principals for Exchange Online and on-premise environments if possible.
Monitor cloud access logs for unusual activity.
Isolate outdated Exchange or SharePoint servers from the internet, especially if they are past their end-of-life (EOL) or end-of-service date.
The CVE-2025-53786 vulnerability highlights a growing risk in hybrid cloud environments: identity-based attacks. As organizations continue to operate across both on-premise and cloud platforms, shared service principals and outdated configurations become easy targets for cybercriminals.
Microsoft’s proactive steps, combined with CISA’s advisory, serve as a strong reminder to IT teams: don’t just patch vulnerabilities — review your entire identity infrastructure. Hybrid deployments require constant monitoring and updates to prevent silent intrusions.
By following Microsoft’s recommendations and staying alert to new threat vectors, businesses can secure their email systems and protect sensitive communications both on-premise and in the cloud.
Interesting Article : ShinyHunters Target Google in Massive Salesforce CRM Cyberattacks
Pingback: Hackers Exploit WinRAR Zero-Day CVE-2025-8088: Patch to Version 7.13 Now