Microsoft urges users to be on alert following high-severity flaw in hybrid Exchange deployments

• Microsoft finds high-severity flaw in hybrid Exchange instances
• Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition
• A hotfix is available, so users should update now

Microsoft has urged its customers to be on high alert after discovering a dangerous vulnerability in hybrid Exchange deployments.

Microsoft describes the issue as an “improper authentication” bug, tracked as CVE-2025-53786 with a severity score of 8.0/10 (high). Threat actors with admin access to an on-prem Exchange Server can use the vulnerability to escalate privileges into the connected Exchange Online environment due to trust flaws in shared service principal configurations.

Matters could be even worse as activity from on-prem Exchange doesn’t always generate logs associated with malicious behavior in Microsoft 365, which could result in cyberattacks not being spotted via cloud-based auditing.