[German]Another note for administrators of Microsoft Exchange Server hybrid configurations. Microsoft points out that these configurations are at risk from an Elevation of Privilege vulnerability (CVE-2025-53786). However, there is a hotfix to eliminate this vulnerability in these hybrid configurations and instructions to secure the installation.
Advertising
US cyber security authority CISA warns in this article (see also the following tweet) about the Elevation of Privilege vulnerability (CVE-2025-53786) in Exchange Server hybrid configurations.
Addendum: After publishing this article, US CISA has issues a Emergency Directive 25-02, in which US authorities have until August 11, 2025 to secure the Exchange Hybrid configurations.
Microsoft has published the support article Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability for CVE-2025-53786 on August 6, 2025. The vulnerability CVE-2025-53786 allows privilege elevation in a hybrid configuration and has been assigned a CVSS 3.1 score of 8.0.
In a hybrid Exchange environment, an attacker who initially only gains administrative privileges on a local Exchange server could potentially elevate their privileges within the organization's connected cloud environment. And this is possible without leaving easily recognizable and verifiable traces. This would put the entire Exchange Online cloud instance at risk.
Advertising
This risk arises because Exchange Server and Exchange Online use the same service principal in hybrid configurations. Affected by CVE-2025-53786 are Exchange Server 2016 CU23 as well as Exchange Server 2019 CU14 and CU 15, and the most recently released Microsoft Exchange Server Subscription Edition RTM.
Microsoft has not yet observed any exploitation of this vulnerability in practice, but classifies the vulnerability as "Exploitation More Likely". This is because an analysis by CISA has shown that an exploit code could be developed to consistently exploit this vulnerability.
It is interesting to note that Microsoft announced security changes for Exchange Server for hybrid deployments and an accompanying non-security hotfix on April 18, 2025. These changes were made to improve the security of hybrid Exchange deployments. After further investigation, Microsoft identified specific security implications and assigned CVE-2025-53786.
Microsoft strongly recommends that you read the information, install the April 2025 (or later) hotfix and implement the changes in your Exchange Server and hybrid environment.
Administrators responsible for hybrid Exchange configurations should install the hot fix (or a newer version) specified in the article on their local Exchange servers. In addition, the configuration instructions under Deploy dedicated Exchange hybrid app should be followed to deploy a dedicated Exchange hybrid app. Further details can be found under Exchange Server Security Changes for Hybrid Deployments. After completing the steps, ensure that you reset the keyCredentials of the service principal.
Anyone who previously configured Exchange Hybrid or OAuth authentication between Exchange Server and an Exchange Online organization but no longer uses it should ensure that the keyCredentials of the service principal are reset.
Advertising
