Microsoft has revealed a vulnerability in Exchange Server that allows for discreet access to cloud services in hybrid configurations.

Microsoft has issued an advisory regarding a high-severity security vulnerability affecting on-premise versions of Exchange Server, identified as CVE-2025-53786, which has a CVSS score of 8.0. This flaw could enable an attacker with administrative access to an on-premises Exchange server to escalate privileges within the connected cloud environment, particularly in hybrid deployments where Exchange Server and Exchange Online share the same service principal. The exploitation of this vulnerability could occur without leaving easily detectable or auditable traces. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that if left unpatched, this vulnerability could compromise the identity integrity of an organisation’s Exchange Online service.

To mitigate the risks associated with CVE-2025-53786, Microsoft recommends that customers review security changes for hybrid deployments, install the April 2025 Hot Fix or newer, and follow the provided configuration instructions. Additionally, organisations that have previously configured Exchange hybrid or OAuth authentication but no longer use it should reset the service principal’s keyCredentials. In a related effort to enhance security, Microsoft plans to temporarily block Exchange Web Services (EWS) traffic using the shared service principal. CISA has also highlighted the presence of malicious artifacts linked to recently disclosed SharePoint flaws, urging entities to disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life from the internet.