Microsoft Discloses Exchange Server Flaw Enabling Silent Cloud Access in Hybrid Setups

Microsoft has released an advisory for a high-severity security flaw affecting on-premise versions of Exchange Server that could allow an attacker to gain elevated privileges under certain conditions. The vulnerability, tracked as CVE-2025-53786 , carries a CVSS score of 8.0. Dirk-jan Mollema with Outsider Security has been acknowledged for reporting the bug. "In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces," the tech giant said in the alert. "This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations." Successful exploitation of the flaw could allow an attacker to escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces, the company added. However, the attack hinges on the threat actor already having administrator access to an Exchange Server. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a bulletin of its own, said the vulnerability could impact the identity integrity of an organization's Exchange Online service if left unpatched. As mitigations, customers are recommended to review Exchange Server security changes for hybrid deployments, install the April 2025 Hot Fix (or newer), and follow the…Read More