BrianKrebs@briankrebs@infosec.exchange
CISA has published a severe vulnerability notice regarding a Microsoft Exchange flaw that was disclosed at Black Hat in Las Vegas:
"CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service."
"While Microsoft has stated there is no observed exploitation as of the time of this alert’s publication, CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise."
https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
NextGov writes:
"At Black Hat in Las Vegas, Nevada, Outsider Security researcher Dirk-jan Mollema presented a long-form demo exploiting the flaw, where he said he was able to modify user passwords, convert cloud users to hybrid users and impersonate hybrid users."
"Through the exploit, hackers could also modify executive permissions, known as service principals, where they could escalate network access privileges or establish persistent access between on-premises Exchange and Microsoft 365 by tampering with the identities and permissions set up on a network."
No patch, but CISA's alert includes some guidance on hardening and mitigations.
MS advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786