ngCERT SECURITY ADVISORY ON HYBRID MICROSOFT EXCHANGE SERVER PRIVILEGE ESCALATION VULNERABILITY

Advisory ID:   ngCERT-2025-110004

SUMMARY

ngCERT is aware of a high-severity vulnerability which combines elements of CWE-287 (Improper Authentication) with a privilege escalation path identified in Microsoft Exchange Server hybrid deployments. This deployment connects on-premises Exchange servers to Exchange Online within Microsoft 365. The flaw dubbed CVE-2025-53786 arises from weak authentication trust established between the two environments through a shared service principal. Attackers could exploit this weakness if they already hold administrative privileges on-premises and abuse this trust relationship to escalate privileges into the connected cloud environment. Consequently, individuals and organisations are advised to take immediate steps to protect their systems from exploitation by threat actors.

Damage:      Critical

Probability:  High 

Platform(s): Microsoft Exchange Server (Hybrid Deployments)

DESCRIPTION

CVE-2025-53786 stems from improper authentication handling in hybrid Microsoft Exchange Server environments that link on-premises servers with Exchange Online. The flaw affects hybrid Microsoft Exchange setups and combines elements of CWE-287 (Improper Authentication) with a privilege escalation path. Threat actors with elevated privileges on the on-premises Exchange environment can exploit these weaknesses to request or forge tokens, thereby elevating their effective privileges in the cloud and gaining access to cloud services. This movement may occur without typical logging or controls catching the activity, complicating detection and response. Affected systems include Exchange Server 2016, 2019, and Subscription Edition that have not applied Microsoft’s April 2025 hybrid configuration update. Organisations are advised to apply the April 2025 or later Exchange Server hotfix to avoid being vulnerable to cross-environment privilege escalation.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Privilege escalation
2. System compromise
3. Persistence across environments
4. Unauthorised cloud account access/takeover
5. Data Exfiltration
6. Lateral movement across a connected cloud environment
7. Data tampering
8. Reputational Damage

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Install the April 2025 or later Exchange Server hotfix on all on-premises servers in hybrid environments.
2. Reconfigure the hybrid deployment to use a dedicated hybrid application in Entra ID instead of the legacy shared service principal model.
3. Implement Microsoft’s Service Principal Clean-Up Mode to revoke and regenerate hybrid service principal credentials.
4. Audit on-premises Exchange settings for hybrid status, update levels, shared principal use, admin access, and abnormal authentication activity.
5. Restrict administrative privileges with the least privilege, enforce MFA, and monitor for suspicious admin activity.
6. Implement logging and alerting for suspicious token requests, credential changes, and cross-environment access anomalies.
7. If immediate patching isn’t possible, apply compensating controls like isolating the Exchange server, limiting outbound traffic, and monitoring hybrid token flows.

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
• https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
• https://techcommunity.microsoft.com/blog/vulnerability-management/mdvm-guidance-for-cve-2025-53786-exchange-hybrid-privilege-escalation/4442337
• https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html