Microsoft warns of high-severity flaw in hybrid Exchange deployments
bleepingcomputer.com - Microsoft has warned customers to mitigate a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to escalate privileges in Exchange Online cloud environments undetected. Exchange hybrid configurations connect on-premises Exchange servers to Exchange Online (part of Microsoft 365), allowing for seamless integration of email and calendar features between on-premises and cloud mailboxes, including shared calendars, global address lists, and mail flow. However, in hybrid Exchange deployments, on-prem Exchange Server and Exchange Online also share the same service principal, which is a shared identity used for authentication between the two By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate, as it implicitly trusts the on-premises server. Additionally, actions originating from on-premises Exchange don't always generate logs associated with malicious behavior in Microsoft 365; therefore, traditional cloud-based auditing (such as Microsoft Purview or M365 audit logs) may not capture security breaches if they originated on-premises. "In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable trace," Microsoft said on Wednesday in a security advisory describing a high-severity privilege escalation vulnerability now tracked as CVE-2025-53786. The vulnerability affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition, the latest version, which replaces the traditional perpetual license model with a subscription-based one. While Microsoft has yet to observe in-the-wild exploitation, the company has tagged it as "Exploitation More Likely" because its analysis revealed that exploit code could be developed to consistently exploit this vulnerability, increasing its attractiveness to attackers.
%2Fcdn.vox-cdn.com%2Fuploads%2Fchorus_asset%2Ffile%2F25368863%2F1234065651.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
