Secure now! Microsoft Exchange is vulnerable in hybrid operation
Admins who operate Exchange in a hybrid deployment should protect their instances against possible attacks according to instructions from Microsoft.
(Image: janews/Shutterstock.com)
If companies use Microsoft Exchange hybrid locally and online, attackers can, under certain circumstances, exploit a security vulnerability and gain higher rights in Exchange Online to wreak havoc there. So far there are no reports of attacks already underway, but admins should nevertheless take countermeasures.
Background information
Not only Microsoft advises this in a warning message, but also the US security authority Cybersecurity & Infrastructure Security Agency (CISA) in an article. The vulnerability (CVE-2025-53786) is classified as a “high” threat level.
According to Microsoft, only hybrid Exchange instances are at risk. Attackers need administrative access to a local Exchange server to launch an attack. If this is given, they can access Exchange Online with extended rights without leaving any significant traces, according to the description of the vulnerability.
Countermeasure
To mitigate the risk of attack in this context, admins must install a hotfix released in April 2025 on their local Exchange server. They should then follow the security tips for hybrid operation. Microsoft provides further information on more secure hybrid operation in an article. Finally, it is necessary to clean up the keyCredentials of the first-party service principal.
Videos by heise
CISA also points out that admins urgently need to check whether companies are running Exchange versions that are no longer in support and are therefore vulnerable instances that can be accessed from the internet. Issues such as SharePoint Server 2013 and earlier versions no longer receive security updates and must be disconnected from the internet immediately for security reasons.
(des)
