if they haven’t already done so, install the Hot Fix released April 18, or any newer release, on their on-premises Exchange servers and follow the configuration instructions outlined in the document Deploy dedicated Exchange hybrid app. For additional details, they should refer to Exchange Server Security Changes for Hybrid Deployments;then reset the service principal’s keyCredentials. That reset should be performed even if they’ve previously configured Exchange hybrid or OAuth authentication between Exchange Server and their Exchange Online organization and no longer use it;then run the Microsoft Exchange Health Checker to determine whether further steps are required. CISA also highly recommends that admins disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be disconnected if still in use. Johannes Ullrich, dean of research at the SANS Institute, noted that this issue only affects organizations that run Exchange on premises in hybrid mode. “Past vulnerabilities and ongoing guidance from Microsoft have motivated many organizations to abandon on-premises Exchange in favor of cloud solutions,” he told CSO in an email. “The number of organizations still running Exchange on premises is getting smaller and smaller.”In order to exploit the vulnerability, he added, an attacker first must get admin rights on the on-premises Exchange server. “Having an attacker with admin rights is always a bad thing, and I am not sure this vulnerability increases the risk much,” he said. “It makes it easier to pivot into the organization’s cloud presence, but a patient attacker may learn what they need to get access just by observing Exchange traffic.”The overall lesson, he added, is to move away from Exchange on-premises. “This product has become harder and harder to maintain,” he argued, “and Microsoft’s cloud solutions are an adequate alternative. This vulnerability does not add substantial risk and should not be treated as an emergency. Keeping Exchange patched and configured well is not easy, and must be done with careful testing.”The vulnerability, CVE-2025-53786, stems from Microsoft’s April 18 release of Exchange Server Security Changes for Hybrid Deployments and the accompanying non-security HotFix, which were intended to improve the security of hybrid Exchange deployments.Following further investigation, Microsoft said, it identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft also credited the efforts of Dutch researcher Dirk-jan Mollema, head of Outsider Security.Separately, Exchange admins should also note that, starting this month, Microsoft will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal. By default it is used by some coexistence features in hybrid scenarios. This is a part of a phased strategy to speed up customer adoption of the dedicated Exchange hybrid app, Microsoft said.More Microsoft security news:
Microsoft hints at revoking access to the Windows kernel, eventuallyProject Ire: Microsoft’s autonomous AI agent that can reverse engineer malwareCybercrooks faked Microsoft OAuth apps for MFA phishingFirst-ever zero-click attack targets Microsoft 365 CopilotEnd of life for Microsoft Office puts malicious macros in the security spotlightMicrosoft’s incomplete SharePoint patch led to global exploits by China-linked hackers>>>
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4036018/hybrid-exchange-environment-vulnerability-needs-fast-action.html
