Microsoft Reveals Exchange Server Flaw That Could Grant Hidden Cloud Access in Hybrid Setups
Microsoft has announced a serious security flaw in its on-premise Exchange Server that could let attackers gain unauthorized access to cloud systems without leaving obvious signs of their actions.
The flaw, known as CVE-2025-53786, has a severity rating of 8.0 out of 10. It was reported by Dirk-jan Mollema from Outsider Security.
In hybrid environments (where on-premise Exchange servers connect to cloud-based services), an attacker who already has administrative control of an on-premise Exchange server could potentially escalate their access within the organization’s cloud systems—without being easily detected. This happens because both the on-premise server and the cloud-based Exchange Online share the same connection key, known as the service principal, in these hybrid setups.
The problem, according to Microsoft, could allow attackers to move deeper into an organization’s connected cloud environment, gaining more control without leaving visible evidence. However, this would only work if the attacker already has full admin access to the on-premise Exchange server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also weighed in, stating that if this flaw isn’t fixed, it could compromise the integrity of the organization’s Exchange Online account.
What Users Should Do
To avoid this risk, Microsoft recommends users take the following steps:
- Review and update security settings for Exchange Server hybrid setups.
- Install the April 2025 Hot Fix or later updates.
- If you no longer use hybrid or OAuth authentication for Exchange Server, reset the service principal’s credentials.
Additionally, Microsoft announced it will begin temporarily blocking certain Exchange Web Services (EWS) traffic starting this month. This move is aimed at encouraging customers to switch to a dedicated Exchange hybrid app, improving overall security for hybrid setups.
Connection to Other Vulnerabilities
This alert comes alongside new information from CISA about malware used to exploit vulnerabilities in SharePoint. Specifically, attackers are using malicious tools called ToolShell to target systems, steal cryptographic keys, and upload harmful files.
CISA is also advising organizations to disconnect outdated or unsupported versions of Exchange Server or SharePoint Server from the internet to prevent further exposure to such attacks.
