CVE-2025-53786 is a high-severity elevation of privilege vulnerability found in Microsoft Exchange Server hybrid deployments. The flaw allows an attacker with administrative access to an on-premises Exchange server to escalate privileges within the connected cloud environment of Exchange Online, bypassing typical detection mechanisms.
The vulnerability arises from the shared service principal used by both Exchange Server and Exchange Online in hybrid configurations. This shared identity enables attackers who control the on-premises server to forge or manipulate trusted tokens or API calls that are implicitly trusted by the cloud side, potentially leading to total domain compromise across both on-premises and cloud environments.
Affected products include:
- Exchange Server 2016
- Exchange Server 2019
- Exchange Server Subscription Edition
Key details of CVE-2025-53786:
- Exploits the shared identity mechanism between on-premises Exchange and Exchange Online.
- Requires initial administrative access to an on-premises Exchange server.
- Enables privilege escalation in the cloud environment with minimal or no detectable audit trails.
- Threatens the integrity of identity and access management in Exchange Online.
- Although no active exploitation has been seen yet, the likelihood of exploitation is considered high due to the vulnerability’s characteristics and potential exploit code development.
Mitigation steps include:
- Applying Microsoft’s April 2025 Exchange Server Hotfix Updates on all on-premises Exchange servers.
- Deploying the dedicated Exchange hybrid application that replaces the shared service principal model, as recommended by Microsoft.
- Resetting the service principal’s credentials according to Microsoft’s Service Principal Clean-Up Mode instructions, especially for those using Exchange hybrid or OAuth authentication.
- Running the Microsoft Exchange Health Checker tool to ensure further remediation.
- Disconnecting any unsupported or end-of-life public-facing Exchange or SharePoint server instances from the internet.
- Microsoft plans to block Exchange Web Services traffic via the shared service principal starting October 2025 to further protect against this risk.
This vulnerability poses a critical risk in hybrid Exchange environments, making timely patching and configuration updates essential to prevent potential domain-wide compromise and identity integrity breaches.
