TT-CSIRT – 446.07.08.25 – Privilege Escalation Vulnerability in Microsoft Exchange Hybrid Deployments

Please be advised of a high-severity vulnerability, CVE-2025-53786, affecting Microsoft Exchange hybrid deployments. This vulnerability allows a threat actor with administrative access to an on-premise Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations.

No active exploitation observed, but CISA urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance to protect Exchange Online identity integrity.

Impact

• A malicious actor with admin access to an on-premise Exchange server could escalate privileges via misconfigured hybrid-joined environments.
• May result in full domain compromise, impacting both cloud and on-premise infrastructure.
• Exploitation risks compromising Exchange Online identity integrity and hybrid trust relationships.

Recommended Mitigation Steps:

1. Assess Deployment Exposure
   Review Microsoft’s Exchange Server Security Changes for Hybrid Deployments to determine if your hybrid Exchange environment is affected.
2. Apply April 2025 Hotfixes
   Install Microsoft’s April 2025 Exchange Server Hotfix Updates on all on-premise Exchange servers.

• Configure the dedicated Exchange hybrid app as per Microsoft’s guidance.

3. Clean Up Service Principals (If Hybrid Was Previously Used)
   Follow Microsoft’s Service Principal Clean-Up Mode to reset keyCredentials if hybrid Exchange was previously configured but is no longer in use.
4. Run Exchange Health Checker
   Use the Microsoft Exchange Health Checker to confirm correct configuration and identify any additional required actions.
5. Disconnect Legacy Systems
   Remove public-facing Exchange or SharePoint servers that have reached end-of-life (EOL) status (e.g., SharePoint Server 2013 or earlier).

References:

• https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
• https://www.cve.org/CVERecord?id=CVE-2025-53786
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
• https://techcommunity.microsoft.com/blog/exchange/dedicated-hybrid-app-temporary-enforcements-new-hcw-and-possible-hybrid-function/4440682

If you have any queries, comments, or require assistance, please feel free to contact TT-CSIRT via contacts@ttcsirt.gov.tt.