CVE-2025-53786: Frequently Asked Questions About Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability
Frequently asked questions about CVE-2025-53786, an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.
FAQ
What is CVE-2025-53786
CVE-2025-53786 is an elevation of privilege (EoP) vulnerability affecting hybrid deployments of Microsoft Exchange Server. An attacker with administrator privileges to an on-premises Exchange Server can escalate their privileges within a connected cloud environment. This flaw exists due to Exchange Server and Exchange Online sharing “the same service principal in hybrid configurations.”
When was CVE-2025-53786 first disclosed?
Microsoft first disclosed CVE-2025-53786 on August 6. According to the security advisory, Microsoft identified the vulnerability after further investigation of a non-security Hot Fix released on April 18 alongside an announcement on Exchange Server Security Changes for Hybrid Deployments.
Was this exploited as a zero-day?
As of August 7, no known exploitation has been observed by Microsoft. However, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
What makes CVE-2025-53786 so serious?
While exploitation of this EoP vulnerability requires an attacker to have administrative access to an on-prem Exchange Server, successful exploitation would impact a victims Exchange Online cloud environment. This vulnerability exists because Exchange Server and Exchange Online share the same service principal. According to Microsoft, a successful attack would not leave an “easily detectable and auditable trace.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert for CVE-2025-53786 on August 6, stressing that “if not addressed, could impact the identity integrity of an organization’s Exchange Online service.”
CISA followed up with Emergency Directive ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7, directing federal agencies to take immediate action by 9:00 AM ET on Monday August 11 to address the flaw.
Is there a proof-of-concept (PoC) available for this vulnerability?
At the time this blog was published on August 7, no PoC had been identified for CVE-2025-53786.
Are patches or mitigations available for CVE-2025-53786?
Microsoft released a Hot Fix on April 18 that improved the security of Exchange hybrid deployments that mitigates this issue. In order to be fully protected, it is recommended that the Hot Fix or a later release is applied. In addition, Microsoft recommends applying the configuration recommendations in the article Deploy dedicated Exchange hybrid app.
Additionally, Microsoft recommends that customers who previously configured Exchange hybrid or OAuth authentication for Exchange Server to Exchange Online and no longer use it to ensure you have “reset the service principal's keyCredentials.”
We recommend reviewing Microsoft’s security advisory for CVE-2025-53786 for the latest recommendations from Microsoft.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page for CVE-2025-53786 as they’re released.
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- Microsoft Security Advisory for CVE-2025-53786
- Microsoft Article: Deploy dedicated Exchange hybrid app
- Microsoft Blog: Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions
- CISA Alert: Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Senior Staff Research Engineer, Security Response
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Security Response team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Related articles
CVE-2025-7775: Citrix NetScaler ADC and NetScaler Gateway Zero-Day Remote Code Execution Vulnerability Exploited in the Wild
Citrix has released patches to address a zero-day remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that has been exploited. Organizations are urged to patch immediately....
Tenable Is a Leader in the IDC MarketScape: Worldwide Exposure Management 2025 Vendor Assessment
This recognition is about more than just our technology leadership — it reflects the real-world outcomes that the Tenable One Exposure Management Platform delivers....
How Exposure Management Has Helped Tenable Reduce Risk and Align with the Business
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In the second of a two-part blog series, Tenable CSO Robert Huber shares how exposure management has helped him reduce risk and bet...
- Exposure Management
- Vulnerability Management