Microsoft Flags Exchange Server Vulnerability Tied to Hybrid Setups
Readers help support Windows Report. We may get a commission if you buy through our links.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
Microsoft has issued a warning about a serious vulnerability in Exchange Server that could quietly trigger privilege escalation in hybrid environments.
The flaw, listed as CVE-2025-53786 with a CVSS score of 8.0, targets on-premises Exchange servers configured to work alongside Exchange Online. If an attacker already controls the on-prem server, they could potentially hack into the connected cloud environment, without leaving behind obvious traces.
That’s because both the cloud and on-prem Exchange services share the same service principal in hybrid setups. Dirk-jan Mollema of Outsider Security discovered the issue.
Microsoft recommends immediate action, including applying the April 2025 hotfix or later, reviewing your hybrid setup, and resetting credentials if you’re no longer using OAuth or Exchange hybrid features.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also noted that unpatched systems could risk the identity integrity of Exchange Online. It’s also pushing organizations to isolate or shut down old Exchange and SharePoint servers still exposed to the internet.
This advisory arrives as Microsoft is planning to temporarily block EWS traffic using the shared service principal. The company hopes to nudge more users toward a dedicated hybrid app for better protection.
CISA added context, revealing that recent SharePoint attacks involved ToolShell malware, capable of stealing machine keys and running PowerShell payloads for data theft.
