CVE-2025-53786: Frequently Asked Questions About Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability

Frequently asked questions about CVE-2025-53786, an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.
FAQ
What is CVE-2025-53786
CVE-2025-53786 is an elevation of privilege (EoP) vulnerability affecting hybrid deployments of Microsoft Exchange Server. An attacker with administrator privileges to an on-premises Exchange Server can escalate their privileges within a connected cloud environment. This flaw exists due to Exchange Server and Exchange Online sharing “the same service principal in hybrid configurations.”
When was CVE-2025-53786 first disclosed?
Microsoft first disclosed CVE-2025-53786 on August 6. According to the security advisory, Microsoft identified the vulnerability after further investigation of a non-security Hot Fix released on April 18 alongside an announcement on Exchange Server Security Changes for Hybrid Deployments.
Was this exploited as a zero-day?
As of August 7, no known exploitation has been observed by Microsoft. However, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
What makes CVE-2025-53786 so serious?
While exploitation of this EoP vulnerability requires an attacker to have administrative access to an on-prem Exchange Server, successful exploitation would impact a victims Exchange Online cloud environment. This vulnerability exists because Exchange Server and Exchange Online share the same service principal. According to Microsoft, a successful attack would not leave an “easily detectable and auditable trace.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert for CVE-2025-53786 on August 6, stressing that “if not addressed, could impact the identity integrity of an organization’s Exchange Online service.”
CISA followed up with Emergency Directive ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7, directing federal agencies to take immediate action by 9:00 AM ET on Monday August 11 to address the flaw.
Is there a proof-of-concept (PoC) available for this vulnerability?
At the time this blog was published on August 7, no PoC had been identified for CVE-2025-53786.
Are patches or mitigations available for CVE-2025-53786?
Microsoft released a Hot Fix on April 18 that improved the security of Exchange hybrid deployments that mitigates this issue. In order to be fully protected, it is recommended that the Hot Fix or a later release is applied. In addition, Microsoft recommends applying the configuration recommendations in the article Deploy dedicated Exchange hybrid app.
Additionally, Microsoft recommends that customers who previously configured Exchange hybrid or OAuth authentication for Exchange Server to Exchange Online and no longer use it to ensure you have “reset the service principal's keyCredentials.”
We recommend reviewing Microsoft’s security advisory for CVE-2025-53786 for the latest recommendations from Microsoft.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page for CVE-2025-53786 as they’re released.
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- Microsoft Security Advisory for CVE-2025-53786
- Microsoft Article: Deploy dedicated Exchange hybrid app
- Microsoft Blog: Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions
- CISA Alert: Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management