Microsoft has issued a security advisory for a high-severity vulnerability in on-premises Exchange Server that allows attackers to silently elevate privileges into connected cloud environments. The vulnerability (CVE-2025-53786, 8.0 CVSS) is causing a stir in the security community because of its impact on hybrid environments.
According to Microsoft, if an attacker already has administrative access to an on-premises Exchange Server they can get full access to Exchange Online without leaving any logs or footprints that most security teams rely on.
Why hybrid setups are especially at risk
At the heart of the issue is how Exchange Server and Exchange Online share the same service principal in hybrid configurations. This connection, while designed to make hybrid mail environments seamless, also opens the door for attackers who’ve compromised the on-prem server.
Security researcher Dirk-jan Mollema, credited with discovering the flaw, explained at Black Hat USA 2025 that certificates stored in Exchange on-premise setups can be misused to request special “actor tokens” from Microsoft’s Access Control Service. These tokens bypass common defenses like Conditional Access, effectively allowing someone to impersonate any user in the tenant—including administrators—for up to 24 hours. Worse still, the process leaves no clear audit trail.
Microsoft and CISA push urgent mitigations
Microsoft is urging customers to act quickly. The company recommends reviewing hybrid deployment security settings, applying the April 2025 Hot Fix (or any newer update), and resetting service principal keys if hybrid or OAuth authentication is no longer in use. A more permanent fix is on the way—by October 2025, Microsoft plans to enforce a mandatory separation of service principals between on-prem and cloud Exchange environments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) echoed the urgency in its bulletin, warning that the flaw could undermine the integrity of Exchange Online identities. On August 7, the agency took further action, issuing an emergency directive (ED 25-02) that required all federal civilian agencies with hybrid Exchange environments to remediate by August 11.
“Immediate action is necessary,” CISA stressed, noting that attackers with existing admin access could leverage the flaw to seize significant control over a victim’s Microsoft 365 environment.
Wider security concerns surface
This advisory also arrives amid broader concerns about attackers exploiting Microsoft enterprise software. CISA recently disclosed findings from investigations into new malware artifacts tied to the exploitation of SharePoint flaws. These included web shells and encoded binaries capable of stealing cryptographic keys and exfiltrating sensitive system data.
The overlap between Exchange and SharePoint exploitation highlights how attackers continue to probe identity systems and hybrid cloud configurations—areas where complexity often creates blind spots. Experts suggest that hybrid environments, while convenient for migration and flexibility, have become prime targets for adversaries seeking stealthy access to cloud assets.
For now, organizations running hybrid Exchange setups are advised to patch quickly, review configurations, and prepare for Microsoft’s upcoming changes that will separate on-prem and cloud service principals. While exploitation of CVE-2025-53786 requires existing admin access, the ability to escalate privileges into Exchange Online undetected makes it a serious risk.
