Microsoft, CISA Warn of High-Severity Vulnerability in On-Premises Exchange
by Mike Puglia
3 min read
Security researcher Dirk-jan Mollema of Outsider Security demonstrated a vulnerability at BlackHat in Microsoft’s On-Premises Exchange in a hybrid-joined environment that enables an attacker to escalate privileges and move laterally from on-prem to gain control of the organization’s 365 Exchange Online environment without leaving a detectable and auditable trace (Click Here for Mollema’s BlackHat abstract and presentation slides).
This vulnerability is being tracked as CVE-2025-53786 and CISA has issued Emergency Directive ED-25-02 ordering agencies to take mitigation actions by August 11th, 2025.
Exploitation of this vulnerability requires an attacker to first achieve administrative access (i.e. compromise an admin account) to an on-premises Exchange server in a hybrid-joined configuration. While the attacker must first compromise an on-premises Exchange admin account, CISA stressed that they are “deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s Microsoft 365 Exchange Online environment,” and failure to mitigate the vulnerability risks “leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.” On-Premises
Recommendations
First, disconnect and decommission any End-Of-Life Exchange servers that are not eligible for Microsoft’s April 2025 Hotfix Updates. You can leverage Microsoft’s Exchange Server Health Checker Script to determine eligibility. If the Exchange server cannot be updated, the risk of compromise is too high to keep the system in service (Systems should be on Exchange 2019 with CU 14 or CU 15 or Exchange 2016 with CU 23 and then apply the April 2025 Hotfix Updates.)
Follow Microsoft’s guidance to apply the April 2025 Hotfix Updates to eligible Exchange Servers at: https://techcommunity.microsoft.com/blog/exchange/released-april-2025-exchange-server-hotfix-updates/4402471.
A summary of steps is provided below:
- Ensure you have upgraded Exchange to the latest Cumulative Updates using the Setup Wizard. Exchange 2019 should be CU 14 or CU 15 and Exchange 2016 should be CU 23.
- Review Microsoft’s Exchange Server Security Changes for Hybrid Deployments
- Apply the April 2025 Hotfix Updates and move to the new Dedicated Exchange Hybrid Application from the legacy shared service principle
- Follow Microsoft’s Service Principal Clean-Up Mode guidance to reset the service principal’s “keyCredentials.”
CISA also provides detailed steps in their Emergency Directive and Alert on guidance.
Detection
One of the reasons that this vulnerability is classified as high-severity is that exploitation does not leave a detectable and auditable trace. When deployed in a hybrid-joined configuration, on-prem Exchange Server and Exchange Online leverage the same service principal, which is a shared identity used for authentication between the two environments. Attackers who compromise the on-prem Exchange Server are then able to use trusted tokens or API calls that the cloud side will accept as legitimate, as it implicitly trusts the on-premises server (Note: Microsoft is moving away from the shared service principle with the new “Dedicated Exchange Hybrid Application” mentioned in the above sections).
The best defense is to immediately patch the issue and detect the prerequisite – compromising an admin account on the on-prem Exchange Server. Both RocketCyber and Datto EDR have detections for privilege escalation and lateral movement to identify on-prem endpoint attacks that would be need to be successful prior to an attacker exploiting this vulnerability.
