Microsoft has released a security advisory to address a high-severity vulnerability in its on-premise Exchange Server versions, allowing an attacker to gain elevated privileges under certain conditions. The CVE-2025-53786 vulnerability has a CVSS score of 8.0.
The issue arises when an administrator gains access to an on-premises Exchange server and can potentially escalate privileges within the connected cloud environment without leaving detectable traces. Microsoft recommends reviewing security changes, installing the April 2025 Hot Fix, and following configuration instructions as mitigations.
Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) warns that if left unpatched, the vulnerability could impact an organization’s Exchange Online service identity integrity. Microsoft plans to enforce mandatory separation of Exchange on-premises and Exchange Online service principals by October 2025.
The company also announced it will temporarily block Exchange Web Services traffic using the shared service principal starting this month to improve security posture and encourage customer adoption of the dedicated Exchange hybrid app.
Source: https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html