Security bug allowed hackers to move from on-prem to the cloud
Microsoft finds high-severity flaw in hybrid Exchange instances
Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition
A hotfix is available, so users should update now
Microsoft has urged its customers to be on high alert after discovering a dangerous vulnerability in hybrid Exchange deployments.
Microsoft describes the issue as an “improper authentication” bug, tracked as CVE-2025-53786 with a severity score of 8.0/10 (high). Threat actors with admin access to an on-prem Exchange Server can use the vulnerability to escalate privileges into the connected Exchange Online environment due to trust flaws in shared service principal configurations.
