“All organizations are strongly encouraged to implement Microsoft guidance to reduce risk,” according to Chris Butera, Acting Executive Assistant Director of CISA. CISA Acting Assistant Director Chris Butera said that this CVE, which is tracked as CVE-2025-53786,is not under attack yet, but Microsoft considers it”exploitation more likely,”and US Cybersecurity and Infrastructure Security Agency warns the CVE could lead to”hybrid cloud and on-premises total domain compromise.”and
“All organizations are strongly encouraged to implement Microsoft guidance to reduce risk,” CISA. CISA issued an emergency response directive on Thursday mandating that government agencies fix the problem by August 11. Exchange, Microsoft’s suite for business email, calendars, and collab features, has been breached by both Russian [and Chinese]spies in the past, including Beijing’s Salt Typhoon.
An earlier 2023 Exchange intrusion gave China’s Storm-0558 access to about 60,000 State Department emailsand prompted the Cyber Safety Review Board investigation into Microsoft’s security failings which the CSRB attributed to a “cascade of avoidable errors.”
In other words: this vulnerability is serious, and very likely to be abused by government goons or financially motivated miscreants very soon. Patch immediately. Outsider Security’s Dirk Jan Mollema has reported a bug called CVE-2025-53786, which is an elevation-of-privilege bug. It is caused by the way hybrid Exchange deployments that connect on-premises Exchange Servers to Exchange Online use a shared Identity to authenticate users in both environments.
Redmond implemented some changes to hybrid deploymentsin April. These changes were intended to improve security for both on-prem Exchange and cloud-hosted Exchange.
The Windows giant “following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement,” admitted this. CVE-2025-53786 documents were “a vulnerability that is addressed by taking the steps” included in the hybrid Exchange announcement on April 18.
- Microsoft fixes the four zero-day vulnerabilities in Exchange Server exploited to steal data from victims by China’s “Hafnium” spies
- Microsoft’s top official says the Feds catching Chinese hackers in Exchange Online is proof that the cloud is working as intended.
- Microsoft criticised for lax security which led to China’s cyber attack on Exchange Online.
- Surprise! Chinese spies and other miscreants are attacking Microsoft SharePoint Redmond’s security update explains that if they had administrative access to an on-premises Exchange server, they could exploit the vulnerability.
To fix this bug, Exchange hybrid users should install the April Hotfix (or a newer release) and follow the instructions in Microsoft’s dedicated Exchange Hybrid App Guidance on on-premises Exchange Servers. Users will also need to reset keyCredentials for the service principal after completing these steps.
This bug and fix follow Microsoft’s SharePoint security snafu from last month. Since then, Chinese spies have exploited thisas well as data thieves and ransomware groups . (r)
