Microsoft has released an advisory for high-strength security flaws affecting on-premises versions of Exchange Server, allowing attackers to gain increased privileges under certain conditions.
The CVSS score for vulnerabilities tracked as CVE-2025-53786 is 8.0. Dirk-Jan Molema with outsider security has been recognized for reporting a bug.
“In a replacement hybrid deployment, the attacker who first gained administrative access to an on-premises exchange server could potentially escalate privileges within an organization’s connected cloud environment without leaving traces of easily detectable and auditable.”
“This risk arises because Exchange Server and Exchange Online share the same service principal in a hybrid configuration.”
The successful exploitation of the flaws allows attackers to escalate privileges within an organization’s connected cloud environment without leaving traces that can be easily detected and auditable, the company added. However, the attack is on threat actors whose administrators are accessing Exchange Server.
In its own bulletin, the US Cybersecurity and Infrastructure Security Agency (CISA) said that vulnerabilities could affect the integrity of the organization’s exchange online service identity if left unreceived.
As a mitigation, customers should check for Exchange Server security changes in hybrid deployments, install the April 2025 Hot Fix (or new) and follow the configuration instructions.
“If you configured Exchange Hybrid or OAuth authentication between your Exchange Hybrid or Exchange Server and your Exchange Online organization, but you no longer use it, reset the service principal’s KeyCredentials,” Microsoft said.
Development said Windows Maker will start temporarily blocking Exchange Web Services (EWS) traffic using Exchange Online Shared Services Principals, so it will strive to increase customer recruitment for dedicated Exchange hybrid apps and improve the security attitude of hybrid environments.
Microsoft’s advisory to CVE-2025-53786 is also consistent with CISA’s analysis of various malicious artifacts that have been deployed following the exploitation of recently disclosed SharePoint flaws that were collectively tracked as a toolshell.
It contains two Base64 encoded DLL binaries and four Active Server Page Extension (ASPX) files designed to retrieve machine key settings within the configuration of an ASP.NET application, acting as a web shell to run commands and upload files.
“Cyberthreat actors can leverage this malware to steal encryption keys and run Base64-encoded PowerShell commands to fingerprint host systems and remove data,” the agency said.
Additionally, CISA is urging entities to disconnect public flap versions of Exchange or SharePoint Server that have reached end-of-life (EOL) or service termination from the Internet, not to mention discontinuing the use of older versions.
Source link
