Blog Post

Microsoft Defender Vulnerability Management Blog
2 MIN READ

MDVM Guidance for CVE-2025-53786: Exchange Hybrid Privilege Escalation

MotiBani's avatar
MotiBani
Icon for Microsoft rankMicrosoft
Aug 12, 2025

Executive Summary

Vulnerability Description

CVE-2025-53786 is an Elevation of Privilege (EoP) flaw in hybrid Microsoft Exchange Server deployments. Attackers with administrative rights on an on-premises Exchange Server can exploit the shared service principal trust to gain control of the connected Exchange Online environment.

Affected Products and Versions:

    • Microsoft Exchange Server 2016 (Hybrid deployments)
    • Microsoft Exchange Server 2019 (Hybrid deployments)

Severity: CVSS v3.1 score 8.0 (High)

Exploit Status: No active exploitation observed yet

This vulnerability illustrates how a trusted hybrid connection can be weaponized for total domain compromise. To mitigate:

  • Use MDVM to detect, track, and prioritize remediation
  • Patch promptly with April 2025 hotfix or newer patch
  • Deploy dedicated hybrid app and reset shared credentials reliably
  • Isolate or disconnect unsupported servers

Detection

Defender Vulnerability Management solution provides comprehensive vulnerability assessment across all your devices. You can search for this vulnerability in the search bar or navigate directly to the CVE page to view the detailed list of the exposed devices within your organization:

 

 

You can use Advanced Hunting in MDVM to find devices vulnerable to CVE-2025-53786, focusing on those in hybrid configurations that are missing the required hotfixes:

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2025-53786"
| summarize by DeviceName, CveId

 

Use this link to run it directly in your environment: https://security.microsoft.com/v2/advanced-hunting?query=H4sIAPVzmGgAA12OuwrCUBBETy34D8FaQZSojZWxsLFR0vu4YiBRSKJB8eM9BgSRZe4Ms8vMTQjcyTjIW1XBhisnahp2lLopN3IuqlJn720uahGoiOjS4SU3nNuboF6YFFhxVM-diJ5eypIBI4YiVsWMmTJj4vabUtlWOJ_ujGebtufhm_z8dO2-kPt_XW8LsZnWzgAAAA&timeRangeId=month

Mitigation and Best Practices

Patch and Upgrade

Install the April 2025 Hotfix (or newer) to enable the Dedicated Exchange Hybrid App or upgrade to the latest cumulative update:

  • Microsoft Exchange Server 2019 Cumulative Update 14 - Update            
  • Microsoft Exchange Server 2016 Cumulative Update 23- Update            
  • Microsoft Exchange Server 2019 Cumulative Update 15- Update
  • Microsoft Exchange Server Subscription Edition RTM - Update

Reconfigure Hybrid Trust

Goal: Replace the legacy shared service principal trust with the Dedicated Exchange Hybrid App in Entra ID, then remove the leftover trust.

Deploy and Enable the Dedicated Hybrid App

Recommended script:

.\ConfigureExchangeHybridApplication.ps1 -FullyConfigureExchangeHybridApplication

Or split steps:

.\ConfigureExchangeHybridApplication.ps1 -CreateExchangeHybridApplication

.\ConfigureExchangeHybridApplication.ps1 -EnableExchangeHybridApplication

Alternative via Hybrid Configuration Wizard (HCW):
Run the updated HCW to create the dedicated app, then enable it manually.

Reference: https://aka.ms/ConfigureExchangeHybridApplication-Docs 

Remove the Legacy Shared Trust

After the dedicated app is active, run the script in clean-up mode:

.\ConfigureExchangeHybridApplication.ps1 -ResetFirstPartyServicePrincipalKeyCredentials

Details: https://aka.ms/ConfigureExchangeHybridApplication-Docs#service-principal-clean-up-mode

Verify

Confirm the dedicated app is enabled for on-prem servers and that the shared service principal no longer has your key credentials. Re-run clean-up if HCW is executed again.

Conclusion

CVE-2025-53786 is a high-impact vulnerability in the hybrid trust model. While no exploitation has been confirmed, the potential for full domain compromise requires immediate action:

  • Apply the latest patches
  • Enable the dedicated hybrid app
  • Remove shared trust keys
  • Verify configuration

Use MDVM to continuously surface lagging servers, track remediation, and monitor for regressions such as HCW re-execution. Embed these steps into standard procedures to prevent future exposure.

Updated Aug 12, 2025
Version 2.0
No CommentsBe the first to comment