Executive Summary
Vulnerability Description
CVE-2025-53786 is an Elevation of Privilege (EoP) flaw in hybrid Microsoft Exchange Server deployments. Attackers with administrative rights on an on-premises Exchange Server can exploit the shared service principal trust to gain control of the connected Exchange Online environment.
Affected Products and Versions:
-
- Microsoft Exchange Server 2016 (Hybrid deployments)
- Microsoft Exchange Server 2019 (Hybrid deployments)
Severity: CVSS v3.1 score 8.0 (High)
Exploit Status: No active exploitation observed yet
This vulnerability illustrates how a trusted hybrid connection can be weaponized for total domain compromise. To mitigate:
- Use MDVM to detect, track, and prioritize remediation
- Patch promptly with April 2025 hotfix or newer patch
- Deploy dedicated hybrid app and reset shared credentials reliably
- Isolate or disconnect unsupported servers
Detection
Defender Vulnerability Management solution provides comprehensive vulnerability assessment across all your devices. You can search for this vulnerability in the search bar or navigate directly to the CVE page to view the detailed list of the exposed devices within your organization:
You can use Advanced Hunting in MDVM to find devices vulnerable to CVE-2025-53786, focusing on those in hybrid configurations that are missing the required hotfixes:
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2025-53786"
| summarize by DeviceName, CveId
Use this link to run it directly in your environment: https://security.microsoft.com/v2/advanced-hunting?query=H4sIAPVzmGgAA12OuwrCUBBETy34D8FaQZSojZWxsLFR0vu4YiBRSKJB8eM9BgSRZe4Ms8vMTQjcyTjIW1XBhisnahp2lLopN3IuqlJn720uahGoiOjS4SU3nNuboF6YFFhxVM-diJ5eypIBI4YiVsWMmTJj4vabUtlWOJ_ujGebtufhm_z8dO2-kPt_XW8LsZnWzgAAAA&timeRangeId=month
Mitigation and Best Practices
Patch and Upgrade
Install the April 2025 Hotfix (or newer) to enable the Dedicated Exchange Hybrid App or upgrade to the latest cumulative update:
- Microsoft Exchange Server 2019 Cumulative Update 14 - Update
- Microsoft Exchange Server 2016 Cumulative Update 23- Update
- Microsoft Exchange Server 2019 Cumulative Update 15- Update
- Microsoft Exchange Server Subscription Edition RTM - Update
Reconfigure Hybrid Trust
Goal: Replace the legacy shared service principal trust with the Dedicated Exchange Hybrid App in Entra ID, then remove the leftover trust.
Deploy and Enable the Dedicated Hybrid App
Recommended script:
.\ConfigureExchangeHybridApplication.ps1 -FullyConfigureExchangeHybridApplication
Or split steps:
.\ConfigureExchangeHybridApplication.ps1 -CreateExchangeHybridApplication
.\ConfigureExchangeHybridApplication.ps1 -EnableExchangeHybridApplication
Alternative via Hybrid Configuration Wizard (HCW):
Run the updated HCW to create the dedicated app, then enable it manually.
Reference: https://aka.ms/ConfigureExchangeHybridApplication-Docs
Remove the Legacy Shared Trust
After the dedicated app is active, run the script in clean-up mode:
.\ConfigureExchangeHybridApplication.ps1 -ResetFirstPartyServicePrincipalKeyCredentials
Details: https://aka.ms/ConfigureExchangeHybridApplication-Docs#service-principal-clean-up-mode
Verify
Confirm the dedicated app is enabled for on-prem servers and that the shared service principal no longer has your key credentials. Re-run clean-up if HCW is executed again.
Conclusion
CVE-2025-53786 is a high-impact vulnerability in the hybrid trust model. While no exploitation has been confirmed, the potential for full domain compromise requires immediate action:
- Apply the latest patches
- Enable the dedicated hybrid app
- Remove shared trust keys
- Verify configuration
Use MDVM to continuously surface lagging servers, track remediation, and monitor for regressions such as HCW re-execution. Embed these steps into standard procedures to prevent future exposure.