TL;DR: A critical vulnerability in hybrid Exchange Server allows attackers to move from the on-premises server to the Microsoft 365 cloud as if they had the keys to the castle. More than 29,000 servers are still vulnerable. Spoiler: it’s not good.
The drama in a few words
Microsoft has just disclosed the existence of CVE-2025-53786, a privilege escalation vulnerability that sends shivers down the spine. This flaw affects hybrid deployments of Microsoft Exchange Server and enables an attacker with administrator rights on an on-premise Exchange server to escalate privileges into the connected cloud environment.
To put it simply: if a hacker takes control of your local Exchange server, they can then roam inside your Microsoft 365 tenant as if they were at home. And the worst? They can do all of this without leaving easily detectable traces.
Why is this so serious?
CVSS score 3.1: 8.0/10 – In other words, it falls into the “very not good” category.
This flaw exists because Exchange Server and Exchange Online share “the same service principal in hybrid configurations.” In short, Microsoft created a highway between your on-premises server and the cloud, and that highway had no toll.
The affected environments:
- Exchange Server 2016
- Exchange Server 2019
- Microsoft Exchange Server Subscription Edition
All in hybrid configuration, obviously.
The numbers that frighten
According to Shadowserver scans, more than 29,000 Exchange servers are still unpatched against this vulnerability. The most affected countries? the United States (7,300 servers), Germany (6,500) and Russia (2,500).
To put this into perspective: it’s like 29,000 banks leaving their vaults open with a “Help yourself” sign at the entrance.
CISA’s panicked response
The U.S. cybersecurity agency does not pull its punches. CISA issued Emergency Directive ED 25-02, giving federal agencies until Monday, August 11, 2025 (9:00 a.m. EDT) to remediate this flaw.
The message is clear: “Exploitation of this vulnerability could lead to a total compromise of the hybrid cloud and on-premises domain.” Translation: it’s total chaos if you don’t act.
How to protect yourself (before it’s too late)
Microsoft has been busy and rolled out fixes:
1. The patch that saves
Microsoft had already released a Hot Fix in April 2025 that enhances the security of hybrid Exchange deployments. If you haven’t installed it yet, now is the time.
2. The critical steps per CISA
- Complete inventory : Use the Microsoft Exchange Server Health Checker script
- Immediate disconnect of servers not eligible for the April 2025 updates
- Install the latest compatible Cumulative Updates
- Apply Hotfix Updates on all hybrid servers
3. For hybrid configurations
- Deploy the dedicated hybrid Exchange app
- Follow Microsoft’s configuration recommendations
- Clean up old service principals if necessary
The final word
This vulnerability perfectly illustrates the risks of hybrid architectures: when you mix on-premise and cloud, security flaws can have multiplied consequences.
A friendly tip: If you manage a hybrid Exchange environment, this is not the time to procrastinate. Patch now, then analyze. Your CIO will thank you (and your boss too, incidentally).
And for those wondering whether it’s really that serious: imagine explaining to your leadership that all company data has leaked because you postponed an update “until next week.” Not good.
