Microsoft has warned customers to mitigate a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to escalate their privileges in Exchange Online cloud environments without leaving any traces.
Exchange hybrid configurations connect on-premises Exchange servers to Exchange Online (part of Microsoft 365), allowing for seamless integration of email and calendar features between on-premises and cloud mailboxes, including shared calendars, global address lists, and mail flow.
However, in hybrid Exchange deployments, on-prem Exchange Server and Exchange Online also share the same service principal, which is a shared identity used for authentication between the two environments.
By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate, as it implicitly trusts the on-premises server.
Additionally, actions originating from on-premises Exchange don’t always generate logs associated with malicious behavior in Microsoft 365; therefore, traditional cloud-based auditing (such as Microsoft Purview or M365 audit logs) may not capture security breaches if they originated on-premises.
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft said on Wednesday in a security advisory describing a high-severity privilege escalation vulnerability now tracked as CVE-2025-53786.
The vulnerability affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition, the latest version, which replaces the traditional perpetual license model with a subscription-based one.
While Microsoft has yet to observe in-the-wild exploitation, the company has tagged it as “Exploitation More Likely” because its analysis revealed that exploit code could be developed to consistently exploit this vulnerability, increasing its attractiveness to attackers.
“Total domain compromise”
CISA issued a separate advisory addressing this issue and advised network defenders who want to secure their Exchange hybrid deployments against potential attacks targeting the CVE-2025-53786 flaw by:
CISA warned that failing to mitigate this vulnerability could lead “to a hybrid cloud and on-premises total domain compromise” and urged admins to disconnect public-facing servers running end-of-life (EOL) or end-of-service versions of Exchange Server or SharePoint Server from the internet.
In January, Microsoft also reminded admins that Exchange 2016 and Exchange 2019 will reach their end of extended support in October and shared guidance for those who need to decommission outdated servers, advising them to migrate to Exchange Online or upgrade to Exchange Server Subscription Edition (SE).
In recent years, financially motivated and state-sponsored hackers have exploited multiple Exchange security vulnerabilities, including ProxyLogon and ProxyShell zero-days, to breach servers.
For instance, at least ten hacking groups exploited ProxyLogon in March 2021, including a Chinese-sponsored threat group tracked as Hafnium or Silk Typhoon.
Two years ago, in January 2023, Microsoft also urged customers to apply the latest supported Cumulative Update (CU) and keep their on-premises Exchange servers up to date to ensure they’re always ready to deploy emergency security updates.
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.