Microsoft Updates Advisory About 'Critical' Exchange Hybrid Security Flaw

Microsoft has issued a warning about CVE-2025-53786, a serious privilege escalation vulnerability affecting hybrid setups of Microsoft Exchange Server. The company hints that the vulnerability could allow attackers with on-premises admin rights to take control of connected Exchange Online environments.

The issue is relevant for Microsoft Exchange Server 2016 and 2019 when set up in hybrid configurations. With a CVSS v3.1 score of 8.0, it hasn’t been seen exploited in the wild yet. However, Microsoft warns that this vulnerability might be leveraged to compromise an entire domain due to the hybrid trust model.

Worth noting that Microsoft Defender Vulnerability Management (MDVM) can spot and prioritize fixes for at-risk devices to help manage risks. Additionally, administrators can look for this CVE in MDVM or use Advanced Hunting queries to identify affected servers that haven’t received necessary updates.

Microsoft has further suggested installing the April 2025 hotfix or any newer cumulative updates. These updates activate the Dedicated Exchange Hybrid App, which takes over from the older shared service principal trust that carries a risk of being misused.

Steps to Secure Hybrid Deployments

The company has also urged administrators to set up and enable the dedicated hybrid app by using the provided PowerShell scripts or the updated Hybrid Configuration Wizard. Once it’s up and running, the old shared trust keys must be removed to stop them from being reused.

Microsoft stresses the importance of confirming that the dedicated app is operational and that no old credentials are lingering around. If the Hybrid Configuration Wizard needs to be run again, the cleanup process will have to be repeated.

Even though there are no signs of active exploitation, Microsoft recommends making the aforementioned steps part of regular IT practices. You should also be keeping an eye on things with MDVM can help monitor patch compliance, uncover unprotected servers, and prevent any renewed exposure.