- Microsoft finds high severity defects in instances of hybrid exchange
- Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is the Microsoft Exchange Server subscription edition
- A hotfix is available, so users must now update
Microsoft has urged its clients to be on a maximum alert after discovering a dangerous vulnerability in hybrid exchange implementations.
Microsoft describes the problem as an “inadequate authentication” error, tracked as CVE-2025-53786 with a gravity score of 8.0/10 (high). Threat actors with administrator access to an Exchange On-PREM server can use vulnerability to increase privileges in the online environment of connected exchange due to confidence failures in the main configurations of the shared service.
The issues could still be worse since the activity of exchange in the first moment does not always generate records associated with malicious behavior in Microsoft 365, which could result in the cyber attacks are not seen through the cloud -based audit.
“Commercial information available publicly”
A Microsoft Exchange hybrid implementation combines local exchange servers with online exchange in Microsoft 365, which allows them to work together as a single system. It allows organizations to support email, calendar and contact exchange without problems in both environments.
“In a hybrid implementation of Exchange, an attacker who first obtains administrative access to an Exchange server in the facilities could potentially increase privileges within the cloud environment connected of the organization without leaving traces easily detectable and auditable,” Microsoft said.
Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is the Microsoft Exchange Server subscription edition.
Although there is still no evidence of abuse in nature, Microsoft has urged its clients to apply to the hotias of April 2025, the transition to the Dedicated Exchange Hybrid application and restore the credentials of the director of the shared service to mitigate the risk.
At the same time, the US cybersecurity and infrastructure security agency of the UU.
Not doing so could result in “hybrid clouds and commitment to total domain,” CISA warned.
Through Bleepingcomputer
