A newly disclosed Microsoft Exchange vulnerability poses “grave risk to all organisations” operating affected systems, CISA warned Thursday as it ordered US government agencies to take action.

The post-auth flaw, tracked as CVE-2025-53786, affects Microsoft Exchange hybrid-joined configurations and could allow attackers to move laterally to a business's M365 cloud environment.

While an attacker would first need to gain admin access to an on-premise Exchange server, CISA is “deeply concerned at the ease with which a threat actor could escalate privileges.”

Neither CISA nor Microsoft have identified exploitation of the high-severity vulnerability yet, but the latter said its assessment found it “more likely” to occur.

Patching already available

Microsoft first disclosed the issue, with a CVSS score of 8, late Wednesday, but said both installing an April 2025 Hotfix and following its related security guidance would patch the issue.

It cautioned the hotfix alone will not have fixed the issue and urged organisations to take steps to safely transition to the new dedicated Exchange Hybrid Application.

CISA said government agencies will need to implement the fixes, disconnect all end-of-life servers, and file a report on their actions by Monday, 11 August.

The issue affects Microsoft Exchange Server 2016, 2019, and Subscription Editions in hybrid configurations, where online and on-premises servers share the same service principal to authenticate one another.

Silent movement

Due to the fact that exploitation would involve admin access, Microsoft warned an attacker could escalate privileges “without leaving easily detectable and auditable trace.”

CVE-2025-53786 was discovered by Outsider Security researcher Dirk-jan Mollema and publicly disclosed during his presentation at BlackHat USA in Vegas this week following collaboration with Microsoft.

He explained an on-premise server’s certificate credentials can be used to forge trusted tokens and API calls to gain access to a connected cloud server and avoid detection by logging tools such as Microsoft Purview.

The Microsoft Exchange issue comes just a few weeks after Redmond saw active exploitation of a critical zero day SharePoint vulnerability that hit at least 85 companies and government bodies.

The link has been copied!