28,000 Microsoft Exchange Servers Vulnerable to CVE-2025-53786 Exposed Online

Over 28,000 unpatched Microsoft Exchange servers are exposed on the public internet and remain vulnerable to a critical security flaw designated CVE-2025-53786, according to new scanning data released on August 7, 2025, by The Shadowserver Foundation.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-02 on August 7, mandating federal agencies to address this high-severity vulnerability in Microsoft Exchange hybrid deployments by 9:00 AM ET on Monday, August 11.

The flaw, carrying a CVSS score of 8.0 out of 10, allows attackers with administrative access to on-premises Exchange servers to escalate privileges within connected Microsoft 365 cloud environments without leaving easily detectable audit trails.

The vulnerability scans reveal that the United States, Germany, and Russia represent the top three countries with the highest concentrations of exposed vulnerable servers.

These findings come as Microsoft and CISA warn of “significant, unacceptable risk” to organizations operating Exchange hybrid configurations that have not implemented the April 2025 security guidance.

The vulnerability’s origins trace back to April 18, 2025, when Microsoft announced Exchange Server Security Changes for Hybrid Deployments alongside a non-security hotfix update.

Initially presented as general security improvements, Microsoft later identified specific security implications requiring CVE assignment following further investigation.

The company now strongly recommends installing the April 2025 hotfix or later and implementing configuration changes in Exchange Server hybrid environments.

The flaw exists because Exchange Server and Exchange Online share the same service principal in hybrid configurations, creating a pathway for privilege escalation attacks.

Security researcher Dirk-Jan Mollema from Outsider Security, who reported the vulnerability, demonstrated the exploit at Black Hat USA 2025, showing how threat actors can forge authentication tokens that remain valid for 24 hours while bypassing conditional access policies.

Microsoft has labeled the vulnerability as “Exploitation More Likely” despite no confirmed active exploitation as of the disclosure date.

However, CISA Acting Director Madhu Gottumukkala emphasized the urgency, stating the agency is “taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend”.

Organizations must install Microsoft’s April 2025 Exchange Server hotfix updates, deploy dedicated Exchange hybrid applications, and clean up legacy service principal credentials.

Microsoft plans to permanently block Exchange Web Services traffic using the shared service principal after October 31, 2025, as part of its transition to a more secure Graph API architecture.

CISA strongly encourages all organizations, not just federal agencies, to implement the emergency directive guidance to prevent potential total domain compromise of both on-premises and cloud environments.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial