If your company uses Microsoft Exchange, it’s time to act. More than 29,000 internet-exposed Exchange servers remain unpatched against a severe vulnerability (CVE-2025-53786) that could allow an attacker to move laterally within hybrid environments and fully compromise the domain.
This vulnerability affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition in hybrid configurations. If an attacker gains administrative access to your on-premises Exchange server, they could escalate privileges in your cloud-connected environment, forge tokens, or manipulate API calls without leaving clear traces. This means exploitation is hard to detect, and the consequences can be devastating.
In April 2025, Microsoft released a hotfix as part of its Secure Future Initiative, replacing the insecure shared identity model with a dedicated hybrid application. While no confirmed abuse has been detected, Microsoft classified this flaw as “Exploitation More Likely”, warning that reliable exploit code is likely to be developed in the future.
Learn more: Relationship between Vulnerability Management and Patch Management
According to the Shadowserver monitoring platform, as of August 10 there were still 29,098 vulnerable servers — over 7,200 in the U.S., more than 6,700 in Germany, and over 2,500 in Russia. This is no small issue: every unpatched server is an open door for attackers.
Image of unpatched Exchange Servers (Source: Shadowserver)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-02 requiring federal agencies to mitigate this vulnerability immediately. Even if your organization isn’t in the government sector, the same steps are strongly recommended:
Use Microsoft’s Health Checker Script to identify all instances and their status.
If you have out-of-support versions or those without the April 2025 hotfix, take them offline immediately.
Then install the April 2025 hotfix.
Ensure your hybrid setup uses Microsoft’s new recommended architecture.
Read more: Adobe Fixes 254 Critical Bugs in Its Main Products
Failing to patch this vulnerability could lead to a total compromise of your hybrid and on-premises domain. The privileged access gained by an attacker could be used to steal data, deploy ransomware, or spy on internal communications. Since malicious traffic can disguise itself as legitimate, you may not notice until the damage is done.
At TecnetOne, we recommend not waiting for the first public exploitation cases to appear. Now is the time to close the gap and secure your Exchange environment — especially if you work with sensitive data or manage critical operations.