Ethical Hacking News
Microsoft has disclosed a critical security flaw (CVE-2025-53786) affecting on-premise versions of Exchange Server, which could enable an attacker to gain elevated privileges within the organization's connected cloud environment. The vulnerability highlights the need for organizations to prioritize the security of their hybrid Exchange Server environments and underscores Microsoft's commitment to addressing emerging cybersecurity threats.
Microsoft has disclosed a critical security flaw (CVE-2025-53786) in on-premise versions of Exchange Server. The vulnerability allows an attacker to gain elevated privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces. In hybrid configurations, this can happen because Exchange Server and Exchange Online share the same service principal. Mitigations include reviewing security changes, installing the April 2025 Hot Fix, and resetting the service principal's key credentials. The vulnerability may impact identity integrity of an organization's Exchange Online service if left unpatched.
Microsoft has recently disclosed a critical security flaw (CVE-2025-53786) affecting on-premise versions of Exchange Server, which could enable an attacker to gain elevated privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces. This vulnerability has been acknowledged by Outsider Security, and Microsoft has released an advisory outlining the risks associated with it.
In a hybrid deployment configuration, where an on-premises Exchange server is connected to Exchange Online, the shared service principal used for authentication can be leveraged to request Service-to-Service (S2S) actor tokens from Microsoft's Access Control Service (ACS). These tokens can be used to impersonate any hybrid user within the tenant for a 24-hour period when the "trustedfordelegation" property is set, and leave no logs when they are issued.
The vulnerability arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations. This allows an attacker who gains administrative access to an on-premises Exchange server to potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces.
Microsoft has recommended several mitigations for this vulnerability, including reviewing Exchange Server security changes for hybrid deployments, installing the April 2025 Hot Fix (or newer), and following the configuration instructions. Additionally, customers are advised to reset the service principal's key credentials if they have previously configured Exchange hybrid or OAuth authentication between Exchange Server and their Exchange Online organization but no longer use it.
The development of this vulnerability comes as Microsoft will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal starting this month in an effort to increase customer adoption of the dedicated Exchange hybrid app and improve the security posture of the hybrid environment.
Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a bulletin warning that the vulnerability could impact the identity integrity of an organization's Exchange Online service if left unpatched. CISA has also emphasized the importance of disconnecting public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet and discontinuing the use of outdated versions.
The discovery of this critical security flaw highlights the need for organizations to prioritize the security of their hybrid Exchange Server environments, particularly in configurations where on-premises and cloud-based services are integrated. Microsoft's proactive response to this vulnerability is a testament to its commitment to addressing the evolving cybersecurity landscape and providing timely solutions to protect customers from emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Discloses-Critical-Exchange-Server-Flaw-Allowing-Silent-Cloud-Access-in-Hybrid-Setups-ehn.shtml
https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html
https://nvd.nist.gov/vuln/detail/CVE-2025-53786
https://www.cvedetails.com/cve/CVE-2025-53786/
Published: Thu Aug 7 11:54:48 2025 by llama3.2 3B Q4_K_M
