Identity, Patch/Configuration Management, IAM Technologies, Exposure management

Thousands of Exchange Servers unpatched in light of high-severity flaw

Microsoft logo on the website homepage.

(Adobe Stock)

Scans from threat monitoring platform Shadowserver found that more than 29,000 instances of a high-severity on-premises Exchange Server flaw that both Microsoft and CISA advised teams to fix last week are still unpatched.

While no exploits have been reported to date, security experts are concerned that if teams don’t patch the CVE-2025-53768 on-premises Exchange Server flaw soon, attackers will move laterally and compromise Exchange Online cloud environments.

SC Media reported Aug. 7 that Microsoft said the risk arises because Exchange Server and Exchange Online share the same service principal — a shared identity used for authentication between the two environments in a hybrid configuration.  

According to CISA, the flaw could let a threat actor with administrative access to an on-premise Microsoft Exchange server escalate privileges by exploiting vulnerable hybrid-joined configurations.

“This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service,” wrote CISA in an update Aug. 7.

Thomas Richards, infrastructure security practice director at Black Duck, said patching the server is not enough, and since it is difficult to detect a compromise, Microsoft has provided actions for teams to take to make sure any compromised trust tokens are rotated. 

“This is essential for teams to follow for a full remediation and to ensure uncompromised trust in software,” said Richards. “If the system is unpatched, CISA has warned of a complete compromise of Exchange and Active Directory being possible.  If compromised, it could cause a detrimental impact to business operations.”

Nic Adams, co-founder at CEO at 0rcus, explained that an important concern with this vulnerability is that the malicious activity originating from the on-premises server may not leave easily detectable or auditable traces in the cloud environment.

“This makes it incredibly difficult for security teams to identify a breach in progress, allowing an attacker to operate undetected,” said Adams. “A successful exploit could give an attacker significant control over a victim's entire Microsoft 365 environment. This level of access could let them steal sensitive data, including emails and other cloud-stored information.”

Adams said they could also do the following: impersonate users with valid tokens; modify user passwords and permissions; and establish persistent, long-term access to the network.

“The fact that Shadowserver has identified thousands of unpatched servers in countries like the United States, Germany, and Russia indicates a widespread and pressing security threat,” said Adams.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AuthorizationBuffer OverflowCorruptionDNS SpoofingDarknetDeauthentication AttackDigital CertificateDisassemblyDomain HijackingDrive-by Download

You can skip this ad in 5 seconds