High-severity Exchange Server flaw can lead to exploit of Exchange Online

Microsoft on Aug. 6 advised customers to fix a high-severity on-premises Exchange Server flaw that could potentially escalate privileges within an organization’s connected Exchange cloud environment without leaving an easily detectable or auditable trace.

The software giant said the risk arises because Exchange Server and Exchange Online share the same service principal — a shared identity used for authentication between the two environments in a hybrid configuration.  

Executing the exploitation would require an attacker to first gain administrative access to an on-prem Exchange Server, said Microsoft.

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of this high-severity vulnerability — CVE-2025-53786 — and also posted an advisory on Aug. 6.

CISA said the flaw would let a cyber threat actor with administrative access to an on-premise Microsoft Exchange server escalate privileges by exploiting vulnerable hybrid-joined configurations.

“This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service,” wrote CISA.

Nic Adams, co-founder and CEO at 0rcus, explained that threat actors who achieve admin access on the on-premise server can potentially leverage this trust to forge or manipulate tokens.

”It’s important to understand how this is a one-way vector, allowing a pivot from a compromised on-premise state to the cloud,” said Adams. “Not reverse, because it creates a critical vulnerability for hybrid deployments with inadequate security hygiene.“