Microsoft has issued an important alert to its customers: there is a high-severity vulnerability in hybrid Exchange Server environments that could give attackers the opportunity to escalate privileges in Exchange Online — and do so without leaving a trace.
To put this in context: hybrid Exchange configurations connect your on-premises mail servers with Exchange Online (the cloud-based version within Microsoft 365). This allows everything to work as if it were a single system: synchronized mailboxes, shared calendars, global contact lists, and a unified mail flow between on-premises and cloud.
The problem is that, in these hybrid environments, the on-premises Exchange and Exchange Online share the same service identity — a special credential used to authenticate communication between the two. If that identity is compromised, the attacker could move between both environments as if they were a legitimate user… and that’s where the risk lies.
How can attackers exploit the hybrid Exchange flaw without leaving a trace?
The risk is compounded because, by leveraging that shared service identity, an attacker with control over the on-premises Exchange can forge trusted tokens or manipulate API calls. The cloud side will accept them as valid since it inherently trusts the on-premises server.
And here’s the most concerning part: actions originating from the on-premises Exchange don’t always leave footprints in Microsoft 365 logs. This means cloud-based auditing tools, such as Microsoft Purview or M365 audit logs, may fail to detect the intrusion if the attack began in the on-premises environment.
As Microsoft explained in its Wednesday security advisory:
“In a hybrid Exchange deployment, an attacker who first gains administrative access to an on-premises Exchange server could escalate privileges within the organization’s cloud environment without leaving an easily detectable and auditable trail."
The vulnerability, now identified as CVE-2025-53786, is a high-severity privilege escalation flaw affecting Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition — the latest subscription-based version that replaces the perpetual license model.
Although Microsoft has not observed active attacks exploiting this flaw, it has classified it as ‘Exploitation More Likely.’ Their analysis indicates it would be relatively easy to develop a stable exploit to leverage it repeatedly, making it a very attractive target for cybercriminals.
CISA Warns: The Flaw Could Grant Full Domain Access
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a specific advisory on vulnerability CVE-2025-53786, urging organizations with hybrid Exchange setups to act immediately if they don’t want to open the door to a complete domain compromise.
Key recommendations include:
-
Install the April 2025 Exchange Server security updates
in the on-premises environment, following Microsoft’s official guidance. -
Implement the dedicated hybrid Exchange application to strengthen authentication between the on-premises server and the cloud.
-
For those currently using or who have previously used hybrid Exchange, reset and clean the service principal credentials according to Microsoft’s documented procedure.
-
Once complete, run the Microsoft Exchange Health Checker to confirm there are no outstanding steps.
CISA warns that failing to apply these measures could allow an attacker to take control of both the on-premises and hybrid cloud environments. It also recommends disconnecting from the internet any unsupported (EOL) Exchange or SharePoint servers, as they represent a critical risk.
Microsoft, for its part, reminds users that Exchange Server 2016 and 2019 will reach the end of extended support in October. The company advises migrating to Exchange Online or upgrading to Exchange Server Subscription Edition (SE) to continue receiving security patches.
The warning is no exaggeration: in recent years, both state-sponsored hacking groups and cybercriminals have exploited severe Exchange vulnerabilities such as the infamous ProxyLogon and ProxyShell.
For instance, in March 2021, at least ten threat groups — including Hafnium (also known as Silk Typhoon) linked to China — used ProxyLogon to compromise thousands of servers.
And in January 2023, Microsoft once again urged administrators to keep on-premises Exchange fully updated with the latest Cumulative Update (CU) to be ready for any emergency patch that could save them from an attack.
Read more: Hackers Attack 70 Microsoft Exchange Servers with Keyloggers
Conclusion: Updating Is Not Optional — It’s Vital
This vulnerability in hybrid Exchange is not just a routine technical advisory — it’s a direct warning that neglecting updates could cost you full control of your domain. In a landscape where attackers — from criminal groups to state-sponsored actors — are constantly seeking weak points, delaying a patch or ignoring secure configuration is the same as opening the door wide for them.
Updating Exchange Server, applying the recommended patches, and following the official guidance from Microsoft and CISA is not just best practice — it’s a critical line of defense. Likewise, keeping your infrastructure up to date, decommissioning unsupported servers, and reinforcing security controls should be part of the daily routine for every IT team.
At TecnetOne, we remind you that prevention always costs less than recovery. Keeping your systems updated, auditing configurations, and responding quickly to vulnerabilities is not optional — it’s the key to keeping your business secure.