CISA, Microsoft warn organizations of high-severity Microsoft Exchange vulnerability

LAS VEGAS — Federal cyber authorities issued an alert Wednesday evening about a high-severity vulnerability affecting on-premises Microsoft Exchange servers shortly after a researcher presented findings of the defect at Black Hat. 

Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild. 

While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.

Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment. 

Attackers could escalate privileges in an organization’s connected cloud environment because on-premises and cloud-based versions of Exchange share the same permissions in hybrid configurations, Microsoft said in its advisory. The vulnerability affects Entra ID, Microsoft’s identity and access management service, potentially exposing a path for attackers to move from a compromised on-premises Exchange server to a connected cloud-based counterpart.

Authorities are actively monitoring and assessing the scope and impact of the vulnerability, Chris Butera, acting executive assistant director at the Cybersecurity and Infrastructure Security Agency, said in a statement. 

Microsoft said it already addressed the vulnerability in April when it introduced changes to improve the security of Exchange Server hybrid deployments. The company and CISA urged organizations to apply Microsoft’s April 2025 Exchange Server hot fix updates to on-premises Exchange servers, implement configuration changes and clear certificates from the shared service principals.

Starting later this month, Microsoft said it will temporarily block Exchange Web Services traffic using the shared service principal. That block will be permanent by the end of October, the company said.

The move is part of Microsoft’s strategy to accelerate and eventually force customers to adopt its dedicated Exchange hybrid app. “Even though adoption of server versions that support dedicated hybrid app has been good, the number of customers who have created the dedicated app remains very low,” Microsoft said in a blog post. 

CISA also advised organizations to disconnect any internet-exposed and end-of-life versions of Exchange Server and SharePoint Server.

The coordinated disclosure of the vulnerability comes less than three weeks after security researchers across the industry sounded the alarm about a mass attack spree linked to a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers. More than 400 organizations were impacted by those attacks, including multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services.