Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2025-53786: Frequently Asked Questions About Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability



A graphic banner from Tenable Research Special Operations. In the center, the word "ADVISORY" is in large orange letters on a white hexagon. Below it, the text reads "Frequently Asked Questions (FAQ)". The background is made of colorful diagonal stripes.

Frequently asked questions about CVE-2025-53786, an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.

Background

Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.

FAQ

What is CVE-2025-53786

CVE-2025-53786 is an elevation of privilege (EoP) vulnerability affecting hybrid deployments of Microsoft Exchange Server. An attacker with administrator privileges to an on-premises Exchange Server can escalate their privileges within a connected cloud environment. This flaw exists due to Exchange Server and Exchange Online sharing “the same service principal in hybrid configurations.”

When was CVE-2025-53786 first disclosed?

Microsoft first disclosed CVE-2025-53786 on August 6. According to the security advisory, Microsoft identified the vulnerability after further investigation of a non-security Hot Fix released on April 18 alongside an announcement on Exchange Server Security Changes for Hybrid Deployments.

Was this exploited as a zero-day?

As of August 7, no known exploitation has been observed by Microsoft. However, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

What makes CVE-2025-53786 so serious?

While exploitation of this EoP vulnerability requires an attacker to have administrative access to an on-prem Exchange Server, successful exploitation would impact a victims Exchange Online cloud environment. This vulnerability exists because Exchange Server and Exchange Online share the same service principal. According to Microsoft, a successful attack would not leave an “easily detectable and auditable trace.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert for CVE-2025-53786 on August 6, stressing that “if not addressed, could impact the identity integrity of an organization’s Exchange Online service.”

CISA followed up with Emergency Directive ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7, directing federal agencies to take immediate action by 9:00 AM ET on Monday August 11 to address the flaw.

Is there a proof-of-concept (PoC) available for this vulnerability?

At the time this blog was published on August 7, no PoC had been identified for CVE-2025-53786.

Are patches or mitigations available for CVE-2025-53786?

Microsoft released a Hot Fix on April 18 that improved the security of Exchange hybrid deployments that mitigates this issue. In order to be fully protected, it is recommended that the Hot Fix or a later release is applied. In addition, Microsoft recommends applying the configuration recommendations in the article Deploy dedicated Exchange hybrid app.

Additionally, Microsoft recommends that customers who previously configured Exchange hybrid or OAuth authentication for Exchange Server to Exchange Online and no longer use it to ensure you have “reset the service principal's keyCredentials.”

We recommend reviewing Microsoft’s security advisory for CVE-2025-53786 for the latest recommendations from Microsoft.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page for CVE-2025-53786 as they’re released.

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.


Cybersecurity news you can use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.