All organizations operating out-of-date Microsoft Exchange hybrid-joined configurations are at grave risk and should act immediately, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned. The agency is urging federal agencies to apply critical mitigations before Monday.
Hackers with administrative access to Microsoft Exchange servers on site can quickly escalate privileges, jump to the cloud, and compromise related Microsoft 365 infrastructure, where they can control emails, user accounts, and other services.
CISA has issued an emergency directive for all federal agencies to immediately address this flaw and report back by 9:00 AM EDT on Monday, August 11th, 2025. The vulnerability affects all supported Microsoft Exchange servers, and applying the patch is not enough.
“This vulnerability poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance, and immediate mitigation is critical,” the advisory reads.
“CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment.”
All agencies must quickly assess their current Microsoft Exchange Environments by running the provided Exchange Server Health Checker script to inventory all servers, identify current update levels, disconnect end-of-life servers, determine which servers are eligible for the April Hotfix or later, and update them to the latest Cumulative Update (CU).
⚠️MS Exchange server hybrid deployment elevation of privilege vulnerability CVE-2025-53786 could allow a threat actor with admin access to an Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. See guidance 👉 https://t.co/NzTYDGqMMq pic.twitter.com/2Cc6mJBRqs
undefined CISA Cyber (@CISACyber) August 7, 2025
Additional steps require agencies to transition to dedicated Exchange hybrid applications, perform credential cleanup, monitor the environments after deployment, and prepare for the Microsoft Graph API transition, which will replace Exchange Web Services. The latter change will be enforced starting in October.
Hackers haven’t yet been observed in the wild exploiting this flaw, and CISA hasn’t added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
The high-severity (8.0 out of 10) vulnerability was inadvertently created on April 18th, 2025, when Microsoft announced security improvements and a non-security hot fix to its platform.
“Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement,” the tech giant said in its advisory.
Microsoft urges all companies to apply the Hot Fix and other required changes to Microsoft Exchange Server 2019, 2016, and Subscription Edition.
“If you have already migrated to the newest version, you already have this level of protection from the vulnerability. All you need to do is follow the steps as outlined in the documentation to enable the feature and clear the certificates from the shared service principals keyCredentials,” the advisory reads.
The exploitation of the flaw was demonstrated by a security researcher Dirk-jan Mollema, during a Black Hat presentation.
Your email address will not be published. Required fields are markedmarked