Microsoft has issued a high-severity security advisory for a flaw in its on-premises Exchange Server that could allow attackers to gain silent, elevated access to connected cloud environments in hybrid setups. The vulnerability, tracked as CVE-2025-53786 with a CVSS score of 8.0, affects organizations that use a hybrid configuration, where on-premises Exchange servers are linked to Exchange Online.
The issue stems from a shared service principal, an identity used for authentication between the on-premises and cloud environments. An attacker who first gains administrative control of a local Exchange server can leverage this shared principal to forge authentication tokens or API calls that the cloud environment accepts as legitimate.
A key concern is the stealthy nature of the attack. According to the advisory, a successful exploit could allow an attacker to escalate privileges within the organization’s connected cloud environment without leaving easily detectable or auditable traces. This makes it particularly dangerous as traditional cloud-based auditing tools may fail to identify the breach, leaving organizations vulnerable to a “total domain compromise,” as warned by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability was first reported by security researcher Dirk-jan Mollema of Outsider Security and was demonstrated at the recent Black Hat USA 2025 conference. Mollema explained that once these special access tokens are stolen, they can be used to impersonate any hybrid user for up to 24 hours, and they can’t be revoked, making them highly valuable to an adversary.
Microsoft has stated that no in-the-wild exploitation has been observed yet, but the company has tagged the vulnerability as “Exploitation More Likely” due to the relative ease of developing exploit code.
To mitigate the risk, Microsoft is urging administrators to apply the April 2025 Exchange Server Hotfix Updates or newer releases. Organizations that have used a hybrid setup in the past but no longer do so are also advised to reset the shared service principal’s keyCredentials. In an effort to improve security, Microsoft plans to begin temporarily blocking Exchange Web Services traffic that uses the shared service principal this month and will permanently block it after October 31, 2025. This change is intended to accelerate the adoption of a more secure, dedicated Exchange hybrid application.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
