Alert essentials:
CoPilot protections could have been bypassed with a simple email, allowing threat actors to exfiltrate data from Microsoft 365 users without user interaction or awareness.
The weakness has been patched, and no action from users is needed at this time.
Detailed threat description:
Defenders’ failure to mitigate CVE-2025-53768 in hybrid Exchange environments could result in a complete compromise of both cloud and on-premises domains. In hybrid configurations, the on-prem server and Exchange Online share an identity used for authentication between the two environments.
An attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces.
Microsoft released guidance on Hybrid Exchange Deployments in April 2025. Since that release, Microsoft has identified security implications in those suggestions, assigning CVE-2025-53768 to this post-authentication flaw.
No attacks have been reported in the wild, yet the weakness is publicly exposed and expected to be weaponized quickly. Organizations using a hybrid Exchange configuration should take steps immediately to secure their networks.
Impacts on healthcare organizations:
Many healthcare organizations rely heavily on Exchange for internal communications. Failure to patch this vulnerability could allow attackers to deploy ransomware across systems, resulting in the loss of patient information or damage to a business’s reputation.
Affected Products / Versions
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
- Microsoft Exchange Subscription Edition
CVEs
- CVE-2025-53786- CWE-287- CVSS 8.0
Recommendations
Engineering recommendations:
- Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script
- Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions)
- It is best practice to disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet
- Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server
- Disconnect End-of-Life Servers
- If you have not installed the older SU yet, you can install the newer HU directly and skip the older SU.
- Transition to Dedicated Exchange Hybrid Application
- Perform credential cleanup by resetting the service principals keyCredentials
Leadership / Program recommendations:
- Update your incident response playbooks to include scenarios involving hybrid Exchange compromise
- Conduct tabletop exercises to simulate exploitation of CVE-2025-53786
- Ensure executive leadership understands the urgency and potential impact
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CISA Emergency Directive: https://www.cisa.gov/news-events/directives/ed-25-02-mitigate-microsoft-exchange-vulnerability
- CISA: https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
- Microsoft April Hotfix: https://techcommunity.microsoft.com/blog/exchange/released-april-2025-exchange-server-hotfix-updates/4402471
- Microsoft Deploying Dedicated Exchange Hybrid: https://learn.microsoft.com/en-us/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app
- Microsoft Exchange Server Health Checker: https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
- Microsoft Service Principal Clean-up for resetting keyCredentials: https://learn.microsoft.com/en-us/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app#service-principal-clean-up-mode