Microsoft Urges Administrators to Address Critical Exchange Security Vulnerability (CVE-2025-53786)
In an Exchange hybrid deployment, an attacker who gains administrative access to an on-premises Exchange server could escalate privileges within the organisation’s connected cloud environment without leaving easily detectable and auditable traces. Microsoft announced that this privilege escalation can be executed by exploiting CVE-2025-53786, a newly disclosed vulnerability arising from the shared service principal between Exchange Server and Exchange Online in hybrid configurations. The Office 365 Exchange Online application, which authenticates and secures communication between these two environments, is at the centre of this issue. As organisations continue to rely on this hybrid setup, Microsoft has begun implementing temporary blocks on Exchange Web Services (EWS) traffic to encourage the adoption of a dedicated Exchange hybrid app, enhancing security for customers.
The transition from the Office 365 Exchange Online application to a dedicated Exchange hybrid app has been in the works for some time. Microsoft initiated this process earlier in the year by releasing hotfix updates for various Exchange Server versions and urging customers to install them. Following the installation, organisations were required to run a PowerShell script to switch from the shared principal configuration to the dedicated Exchange hybrid app. The final steps involve transitioning to Microsoft Graph API calls and updating app permissions to a more granular model, with a deadline set for October 2026. Despite good adoption rates for server versions supporting the dedicated hybrid app, the number of customers who have created the app remains low, prompting Microsoft to schedule blocks of EWS traffic that will affect those who have not updated or enabled the dedicated app.
Categories: Cybersecurity Vulnerabilities, Exchange Hybrid Deployment, Microsoft Exchange Updates
Tags: Exchange Hybrid Deployment, Privilege Escalation, CVE-2025-53786, Vulnerability, Exchange Online, Office 365, Exchange Web Services, Microsoft Graph API, Dedicated Exchange Hybrid App, Hotfix Updates