Microsoft Exchange flaw could enable cloud takeover in hybrid environments

On August 6, 2025, Microsoft disclosed a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to silently escalate privileges from on-premises Exchange servers into Exchange Online environments.

Tracked as CVE-2025-53786, the flaw received a CVSS score of 8.0 out of 10, and affects Exchange Server 2016, 2019, and the Subscription Edition.

Although no active exploitation has been observed yet, Microsoft labeled the flaw as “Exploitation More Likely”, possibly due to previous Exchange vulnerabilities, such as ProxyLogon and ProxyShell, which were widely abused by state-sponsored and financially motivated threat actors.

Security researcher Dirk-jan Mollema demonstrated the CVE-2025-53786 exploit live at Black Hat USA 2025, revealing that threat actors could take advantage of the hybrid identity model, where organizations synchronize their on-premises Active Directory (AD) with Entra ID using shared service principals.

Mollema showed that, with administrator-level access to an on-premise Exchange Server, a threat actor can:

• Manipulate synchronization credentials
• Convert cloud-only users into hybrid users
• Impersonate hybrid users with valid tokens

These tokens remain active for 24 hours and cannot be revoked, giving attackers a full day of undetected access to sensitive cloud assets.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

It’s important to note that threat actors need to have prior access to the on-prem Exchange Server, which means this technique is more likely to be used in post-compromise scenarios rather than as an initial entry point.

However, once inside, threat actors can gain full control over an organization's Microsoft 365 environment leading to “total domain compromise”.

Microsoft and CISA have issued urgent guidance to mitigate the risk:

• Apply the April 2025 (or newer) Exchange Server hotfix on all on-premise servers.
• Transition from the shared service principal to a dedicated hybrid app using Microsoft’s configuration script.
• If hybrid or OAuth authentication was previously configured, reset the service principal’s keyCredentials to invalidate potentially compromised tokens.
• Run Exchange Health Checker tool to assess update status and identify unsupported or vulnerable servers.
• Immediately disconnect end-of-life Exchange or SharePoint servers from the internet to reduce exposure.

Note: Microsoft officially announced that Exchange Server 2016 and Exchange Server 2019 will reach end of support on October 14, 2025. After this date, these versions will no longer receive technical support, bug fixes, or security updates. While the servers will continue to function, running them past their end-of-life introduces serious risks, including exposure to unpatched vulnerabilities and compliance issues. Organizations still relying on these versions should begin planning migrations either to Exchange Online or to the Exchange Server Subscription Edition (SE).

SharePoint Server 2016 and SharePoint Server 2019 are scheduled to reach end of support on July 14, 2026. The recommended path forward is to migrate to SharePoint Online or adopt the SharePoint Server Subscription Edition, which follows a continuous update model and requires organizations to stay current with cumulative updates to remain supported.