On August 6th, Microsoft disclosed CVE-2025-53786 via their Microsoft Security update guide. The vulnerability affects organisations running hybrid deployments of Microsoft Exchange Server (2016, 2019, and Subscription Edition) and could allow an attacker to escalate privileges by exploiting vulnerable authentication configurations.

Organisations that have already followed Microsoft's patch guidance from April 2025, deployed a dedicated Exchange hybrid app, and have reviewed Microsoft's Service Principle Clean-Up Mode are not at risk.

Exploit status at the time of publication: no confirmation of in-the-wild exploitation.

Vulnerability assessment

CVE-2025-53786 has a CVSS Score of 8.0 (high-severity). A successful attack can:

• escalate privileges by exploiting vulnerable hybrid configurations and move laterally from on-premises Exchange to the M365 cloud environment
• potentially lead to a total domain compromise

Exploitation of this vulnerability is only possible after an attacker has already gained administrative access to the on-premises Exchange server.

mnemonic Threat Intelligence assessment

This issue has attracted significant attention at this year's Black Hat conference, and we anticipate that threat actors will soon begin exploiting this vulnerability to pivot from on-premises intrusions into cloud environments. We assess that this technique is likely to become a standard component in the toolkits of both nation-state APT groups and financially motivated cybercriminals involved in ransomware operations.

We strongly recommend organisations operating hybrid infrastructures to follow the security guidance issued by Microsoft and CISA to effectively mitigate the risks.

Affected products

Only hybrid configurations are affected by this vulnerability:

• Microsoft Exchange Server 2016: Hybrid deployments with Exchange Online
• Microsoft Exchange Server 2019: Hybrid deployments with Exchange Online
• Microsoft Exchange Server Subscription Edition: Hybrid deployments with Exchange Online

Technical details

The vulnerability is associated with an improper authentication weakness (CWE-287), where an on-premises Exchange Server is configured to use a shared service principal and OAuth trust to authenticate with Exchange Online. Exploitation requires prior administrative access to the on-premises Exchange server, making it a post-exploitation technique.

With that access, an attacker can exploit the shared trust to escalate privileges and pivot into Exchange Online, potentially gaining control of an organisation's M365 Exchange environment. It is rated with high severity due to the ease of moving from on-prem to cloud without generating easily detectable traces.

Recommendations

• Exchange Server 2016 Install the Hotfix from May 2025(Build number: 15.01.2507.057) (or later)
• Exchange Server 2019 Install the Hotfix April 2025(Build number: 15.02.1748.024) (or later)
• Read the Exchange Server Security Changes for Hybrid Deployments released by Microsoft April 18th, and implement the changes in your Exchange server and hybrid environment. This article also includes links to additional documentation for other clean-up steps which is highly necessary to mitigate the risk posed by CVE-2025-53786
• Disconnect End-Of-Life Servers

Detection coverage for Argus MDR customers

mnemonic is actively implementing detections for this vulnerability, as new information becomes available.