CISA, Microsoft warn about new Microsoft Exchange server vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft late Wednesday warned that a new high-severity vulnerability in Microsoft Exchange could let hackers pivot from the on-premises version of the product to the cloud version and potentially gain total control of the system.

The vulnerability, tracked as CVE-2025-53786, could allow an attacker with administration privileges for on-premises Exchange “to escalate privileges by exploiting vulnerable hybrid-joined configurations,” CISA said in its alert.

Microsoft has not seen evidence that hackers are exploiting the vulnerability, according to CISA’s alert. A CISA employee, who requested anonymity to speak candidly, said the agency likewise had not seen signs of exploitation.

CISA urged users of on-premises Exchange servers to download Microsoft’s April 2025 Exchange Server hotfix updates. It also said organizations should disconnect any internet-connected versions of Microsoft Exchange Server and Sharepoint Server if they have reached end-of-life status.

Microsoft said it plans to temporarily block Exchange Web Services traffic through the company’s shared service principal. It encouraged customers to migrate to its Exchange Hybrid app, which offers what the company calls a “rich coexistence” between its cloud and on-premises products, allowing users to share profile pictures, look up calendar statuses and engage with other connected features. 

The company previously warned customers in April about the need for this migration. Wednesday’s announcement will accelerate that transition process. 

Chris Butera, CISA’s acting executive assistant director for cybersecurity, said in a statement that “all organizations are strongly encouraged to implement Microsoft guidance to reduce risk.” Butera called CISA and Microsoft’s teamwork to address the vulnerability “another example of the type of operational collaboration that is securing the nation’s critical infrastructure.