On August 6, 2025, Microsoft disclosed a high-severity post-authentication vulnerability affecting on-premises Microsoft Exchange servers configured for hybrid-joined environments, tracked as CVE-2025-53786. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-02, requiring federal agencies to patch the vulnerability by Monday, August 11. At this time, no other countries are known to have issued government advisories for the vulnerability other than Spain’s INCIBE-CERT.
In affected hybrid deployments, an authenticated threat actor with administrative access to an on-premises Exchange server can exploit this vulnerability to escalate privileges within the connected Microsoft 365 environment. The risk stems from Exchange Server and Exchange Online sharing the same service principal in hybrid configurations.
Microsoft had originally addressed this vulnerability through a non-security hotfix and configuration guidance released in April 2025. While the fix was originally intended as a general security improvement for hybrid Exchange, Microsoft later identified it as a specific vulnerability and assigned it CVE-2025-53786.
Arctic Wolf has not observed active exploitation or a publicly available proof of concept exploit for this vulnerability at the time of writing. Nonetheless, threat actors may target this vulnerability in the near future due to the level of access they could obtain upon compromise.
Technical Details
The vulnerability was detailed in a presentation at Black Hat 2025 by the researcher who discovered it. In hybrid environments, Exchange Server uses a certificate to authenticate to Exchange Online via OAuth. A threat actor with access to this certificate can request service tokens from Microsoft’s Access Control Service (ACS), which can be used to impersonate hybrid users and gain broad access to Exchange Online and SharePoint—bypassing Conditional Access policies and leaving minimal logging. These tokens are valid for up to 24 hours, giving threat actors an extended window of access once compromised.
Recommendation for CVE-2025-53786
Upgrade to Patched Version
For Microsoft 365 hybrid configurations, especially in the government sector, Arctic Wolf recommends that customers either apply the April 2025 hotfix or upgrade to the latest cumulative update.
| Affected Product | Update Article | Update Download |
| Microsoft Exchange Server 2019 Cumulative Update 14 | 5050673 | Security Update |
| Microsoft Exchange Server 2016 Cumulative Update 23 | 5050674 | Security Update |
| Microsoft Exchange Server 2019 Cumulative Update 15 | 5050672 | Security Update |
| Microsoft Exchange Server Subscription Edition RTM | 5047155 | Security Update |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Resources
Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report.
See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.
