Microsoft has shared information about CVE-2025-53786, an Elevation of Privilege flaw in hybrid Microsoft Exchange deployments, affecting Microsoft Exchange Server 2016 and 2019 hybrid deployments.
The Redmond giant said that an attacker with on-premises administrative rights could exploit the shared service principal trust to take control of the connected Exchange Online environment. Luckily, Microsoft has not yet observed any active exploitation. The vulnerability has a CVSS v3.1 score of 8.0 (High).
To protect against this vulnerability, admins should install the April 2025 hotfix, or a newer patch. This update enables the deployment of a Dedicated Exchange Hybrid App and the resetting of shared credentials reliably. Microsoft said that the Hybrid Configuration Wizard (HCW) can also be used to create a dedicated app.
The goal of the patch is to replace the legacy shared service principal trust which is exploitable. Microsoft notes that it’s important to deploy and enable the new app before removing the legacy trust.
After deploying the dedicated app, administrators must remove the legacy shared trust with a provided cleanup script. Verification is also required to confirm the shared service principal no longer holds key credentials. In an easily overlooked step, Microsoft warns that the cleanup needs to be run again if the HCW is executed again.
Before you get to installing the patch and deploying the hybrid app, you need to use Microsoft Defender Vulnerability Management (MDVM) to detect, track, and prioritize remediation. MDVM can be used to search for the CVE and view a list of your exposed devices. Admins can also use Advanced Hunting queries to find devices missing the hotfixes.
Admins who want to apply should follow the instructions outlined by Microsoft in its announcement. Patching is a multi-step process so be sure to follow the instructions carefully.
Image via Depositphotos.com