Vulnerability Description
Microsoft has identified a high-severity vulnerability, CVE-2025-53786, that allows attackers with administrative access to escalate privileges within an organization’s connected cloud environment due to shared service principals in hybrid setups. This vulnerability only affects on-premises Exchange servers configured in an Exchange hybrid deployment, deployments that combine Exchange servers with Exchange Online in Microsoft 365. Successful exploitation could lead to unauthorized control over Exchange Online services. Note that this vulnerability requires admin access to be leveraged.
Vendor Guidance
Microsoft has stated that they are not aware of this vulnerability being actively exploited at the time of writing this advisory, but have urged organizations to adhere to the following guidance to prevent exploitation and keep their environments patched and up to date.
- If you are using Exchange hybrid, consult Microsoft’s guidance on Exchange Server Security Changes for Hybrid Deployments to assess whether your Microsoft hybrid deployments might be affected and eligible for a Cumulative Update (CU).
- Apply Microsoft’s April 2025 Exchange Server Hotfix Updates to the on-premise Exchange server and adhere to Microsoft’s configuration instructions for deploying a dedicated Exchange hybrid app.
- For organizations utilizing Exchange hybrid (or those that have previously set up Exchange hybrid but no longer use it), refer to Microsoft’s Service Principal Clean-Up Mode for instructions on resetting the service principal’s keyCredentials.
- After completing these steps, run the Microsoft Exchange Health Checker to determine if any additional actions are necessary.
CISA has issued an emergency directive ordering Federal Civilian Executive Branch agencies to mitigate this vulnerability by 9:00 AM ET on Monday August 11, 2025 and strongly advises organizations to disconnect any public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For instance, SharePoint Server 2013 and earlier versions are considered EOL and should be decommissioned if they are still in use.
| Field | Details |
|---|---|
| CVE-ID | CVE-2025-53786 – CVSS 8.0 (High) – Assigned by Microsoft |
| Vulnerability Description | Allows an attacker with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. |
| Date of Disclosure | August 6, 2025 |
| Date Reported Actively Exploited | N/A |
| Affected Assets | Microsoft Exchange Server deployments in Hybrid environments. |
| Vulnerable Software Versions | Exchange Server Subscription Edition RTM (15.02.0.0 before 15.02.2562.017)Exchange Server 2019 CU 15 (15.02.0 before 15.02.1748.024)Exchange Server 2019 CU 14 (15.02.0.0 before 15.02.1544.025)Exchange Server 2016 CU 23 (15.01.0 before 15.01.2507.055) |
| PoC Available? | There is no evidence that a public proof-of-concept exists. |
| Exploitation Status | N/A |
| Patch Status | The following Exchange releases have patched this vulnerability:Exchange Server 2019 Cumulative Update 14Exchange Server 2016 Cumulative Update 23Exchange Server 2019 Cumulative Update 15Exchange Server Subscription Edition RTM |
Censys Perspective
At the time of writing, Censys observed 98,685 exposed on-premises Exchange Servers online. While we can infer versions for these devices, we cannot determine whether an Exchange server is configured in a hybrid deployment or which CU has been applied to an exposed instance. Therefore, all these exposures should be considered potentially vulnerable.
Microsoft has stated that “When you install Exchange Server, Outlook on the web is automatically available for internal users at https://<ServerName>/owa (for example, https://mailbox01.contoso.com/owa). But, you’ll likely want to configure Outlook on the web for external access (for example, https://mail.contoso.com/owa).”
This query can be used to find OWA portals that do not necessarily have an Exchange server running on the same host:
host.services.endpoints.http.html_title: {"Outlook Web App", "Outlook"}Alternatively, to find Exchange servers with OWA portals hosted on the same device, this query can be used:
host.services.endpoints.http.html_title: {"Outlook Web App", "Outlook"} and host.services.software: (vendor: "Microsoft" and product: "Exchange Server")The queries below can be used to find exposed Exchange servers, whether or not an OWA portal is present.
host.services.software: (vendor: "Microsoft" and product: "Exchange Server")
host.services.software: (vendor="Microsoft" and product="Exchange Server")
risks.name = "Vulnerable Exchange Server [CVE-2025-53786]"
services.software: (vendor="Microsoft" and product="Exchange Server")
