Microsoft has released an advisory for a high-severity security flaw affecting on-premise versions of Exchange Server that could allow an attacker to gain elevated privileges under certain conditions.
The vulnerability, tracked as CVE-2025-53786, carries a CVSS score of 8.0. Dirk-jan Mollema with Outsider Security has been acknowledged for reporting the bug.
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces,” the tech giant said in the alert.
“This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.”
Successful exploitation of the flaw could allow an attacker to escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces, the company added. However, the attack hinges on the threat actor already having administrator access to an Exchange Server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a bulletin of its own, said the vulnerability could impact the identity integrity of an organization’s Exchange Online service if left unpatched.
As mitigations, customers are recommended to review Exchange Server security changes for hybrid deployments, install the April 2025 Hot Fix (or newer), and follow the configuration instructions.
“If you’ve previously configured Exchange hybrid or OAuth authentication between Exchange Server and your Exchange Online organization but no longer use it, make sure to reset the service principal’s keyCredentials,” Microsoft said.
The development comes as the Windows maker said it will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal starting this month in an effort to increase the customer adoption of the dedicated Exchange hybrid app and improve the security posture of the hybrid environment.
Microsoft’s advisory for CVE-2025-53786 also coincides with CISA’s analysis of various malicious artifacts deployed following the exploitation of recently disclosed SharePoint flaws, collectively tracked as ToolShell.
This includes two Base64-encoded DLL binaries and four Active Server Page Extended (ASPX) files that are designed to retrieve machine key settings within an ASP.NET application’s configuration and act as a web shell to execute commands and upload files.
“Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint the host system and exfiltrate data,” the agency said.
CISA is also urging entities to disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet, not to mention discontinue the use of outdated versions.
