[German]Microsoft Exchange Server hybrid configurations are vulnerable to the elevation of privilege vulnerability CVE-2025-53786. Over 28,000 instances are still unpatched. The US CISA has given authorities until Monday, August 11, 2025, to patch the vulnerability. Here is an overview
28,000 hybrid Exchange instances vulnerable
The Shadow Server Foundation has added detection of Microsoft Exchange vulnerability CVE-2025-53786 in hybrid instances (version-based) to its daily scans.
According to the above tweet, over 28,000 unpatched IPs have been found (as of August 7, 2025). The most affected countries are the US (7,300), Germany (6,500), and Russia (2,500). I have not yet heard any warnings from the BSI.
Vulnerability CVE-2025-53786 in hybride Exchange environments
In a hybrid Exchange environment, an attacker who initially gains administrator rights on a local Exchange server could potentially extend their privileges within the company's connected cloud environment via the CVE-2025-53786 vulnerability.
And this is possible without leaving any easily recognizable and verifiable traces. This would put the entire Exchange Online cloud instance at risk. The CVE-2025-53786 vulnerability allows privilege escalation in a hybrid configuration and has therefore been assigned a CVSS 3.1 score of 8.0.
Some administrators believe that "if I have administrator rights on an on-premises Exchange Server, everything is lost anyway." However, it is the lateral movements in the Exchange Online tenants that are enabled by the vulnerability that are the issue.
I first briefly reported on the issue in the article Microsoft Exchange Server Hybrid at risk by CVE-2025-53786. Microsoft has published a support article on CVE-2025-53786 entitled Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability since August 6, 2025.
German MVP Frank Carius has since published this article (already in German, use deepl.com to translate) with further explanations and assessments, as well as dates and implications on the topic. It also describes what administrators need to do. Administrators should definitely read through the article.
The US CISA: Patch CVE-2025-53786 by August 11, 2025
In this article (see also the following tweet), the US Cybersecurity and Infrastructure Security Agency (CISA) warns of the elevation of privilege vulnerability (CVE-2025-53786) in Exchange Server hybrid configurations.
The US Cybersecurity and Infrastructure Security Agency (CISA) has now published Emergency Directive 25-02, which gives US agencies until Monday, August 11, 2025, to secure Exchange Hybrid configurations against the CVE-2025-53786 vulnerability.
