29,000 Exchange servers are vulnerable to CVE-2025-53786, which allows attackers to move within Microsoft cloud environments, potentially leading to full domain compromise.
CVE-2025-53786 allows attackers who have already obtained administrative access to on-premises Exchange servers to escalate privileges in the organization’s connected cloud environment by forging or tampering with trusted tokens and API requests. Such an attack leaves virtually no traces, which makes it difficult to detect.
The vulnerability poses a risk to Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition in hybrid configurations.
The vulnerability is tied to changes introduced in April 2025, when Microsoft released guidance and a hotfix for Exchange as part of the Secure Future Initiative. At that time, the company moved to a new architecture with a separate hybrid application that replaces the insecure shared identity previously used by on-premises Exchange servers and Exchange Online.
Later, researchers discovered that this scheme leaves room for dangerous attacks. At the Black Hat conference, experts from Outsider Security demonstrated such a post-exploitation attack.
“Initially, I didn’t consider this a vulnerability, since the protocol used for these attacks was designed with the features discussed in the talk in mind, and it simply lacked important security controls,” says Dirk-Jan Mollema of Outsider Security.
Although Microsoft specialists have not found any signs of the issue being exploited in real-world attacks, the vulnerability has been marked as “Exploitation More Likely” (“High likelihood of exploitation”), meaning the company expects exploits to appear soon.
As analysts at Shadowserver warn, 29,098 Exchange servers without patches can be found on the internet. Specifically, more than 7,200 IP addresses were found in the US, over 6,700 in Germany, and more than 2,500 in Russia.
The day after the issue was disclosed, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, mandating that all federal agencies (including the Departments of the Treasury and Energy) urgently address the threat.
In a separate security bulletin, CISA representatives emphasized that failing to remediate CVE-2025-53786 could lead to a “complete compromise of the hybrid cloud and the on-premises domain.”
As Mollema explained, Microsoft Exchange users who have already installed the aforementioned hotfix and followed the company’s April guidance should be protected from the new issue. However, those who have not yet implemented the mitigations remain at risk and should install the hotfix and follow Microsoft’s instructions (1, 2) for deploying the dedicated Exchange Hybrid app.
“In this case, simply applying the patch is not enough; you need to perform additional manual steps to move to a dedicated service principal,” Mollema explained. “The urgency from a security standpoint depends on how important the isolation of on-premises Exchange resources and cloud-hosted resources is to administrators. In the old configuration, the Exchange hybrid system had full access to all resources in Exchange Online and SharePoint.”
The expert also emphasized once again that exploitation of CVE-2025-53786 occurs post-compromise: an attacker must have already compromised the on-premises environment or Exchange servers and have administrator privileges.
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →