[SECURITY-L] Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments

CSIRT Unicamp security em unicamp.br
Quarta Agosto 13 09:26:19 -03 2025 

 Informação original:
https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments

Last Revised
August 12, 2025

*Update (08/12/2025):* CISA has updated this alert to provide clarification
on identifying Exchange Servers on an organization’s networks and provided
further guidance on running the Microsoft Exchange Health Checker.

*Update (08/07/2025):* CISA issued Emergency Directive (ED) 25-02: Mitigate
Microsoft Exchange Vulnerability
<https://www.cisa.gov/news-events/directives/ed-25-02-mitigate-microsoft-exchange-vulnerability>
in response to *CVE-2025-53786*
<https://www.cve.org/CVERecord?id=CVE-2025-53786>

CISA is aware of the newly disclosed high-severity vulnerability,
*CVE-2025-53786* <https://www.cve.org/CVERecord?id=CVE-2025-53786>

, that allows a cyber threat actor with administrative access to an
on-premise Microsoft Exchange server to escalate privileges by exploiting
vulnerable hybrid-joined configurations. This vulnerability, if not
addressed, could impact the identity integrity of an organization’s
Exchange Online service.

While Microsoft has stated there is no observed exploitation as of the time
of this alert’s publication, CISA strongly urges organizations to implement
Microsoft’s *Exchange Server Hybrid Deployment Elevation of Privilege
Vulnerability*
<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786>

guidance outlined below, or risk leaving the organization vulnerable to a
hybrid cloud and on-premises total domain compromise.

   1. Organizations should first inventory all Exchange Servers on their
   networks (organizations should leverage existing visibility tools or
   publicly available tools, such as NMAP or PowerShell scripts, to accomplish
   this task).
   2. If using Exchange hybrid, review Microsoft’s guidance *Exchange
   Server Security Changes for Hybrid Deployments*
   <https://techcommunity.microsoft.com/blog/exchange/exchange-server-security-changes-for-hybrid-deployments/4396833>
     to determine if your Microsoft hybrid deployments are potentially
   affected and available for a Cumulative Update (CU).
   3. Install Microsoft’s *April 2025 Exchange Server Hotfix Updates*
   <https://techcommunity.microsoft.com/blog/exchange/released-april-2025-exchange-server-hotfix-updates/4402471>
   on the on-premise Exchange server and follow Microsoft’s configuration
   instructions *Deploy dedicated Exchange hybrid app*
   <https://learn.microsoft.com/en-us/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app>
   .
   4. For organizations using Exchange hybrid (or have previously
   configured Exchange hybrid but no longer use it), review Microsoft's Service
   Principal Clean-Up Mode
   <https://learn.microsoft.com/en-us/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app#service-principal-clean-up-mode>
   for guidance on resetting the service principal’s keyCredentials.
   5. Upon completion, run the *Microsoft Exchange Health Checker*
   <https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/>
   with appropriate permissions to identify the CU level of each Exchange
   Server identified and to determine if further steps are required.

CISA highly recommends entities disconnect public-facing versions of
Exchange Server or SharePoint Server that have reached their end-of-life
(EOL) or end-of-service from the internet. For example, SharePoint Server
2013 and earlier versions are EOL and should be discontinued if still in
use.

Organizations should review Microsoft’s blog *Dedicated Hybrid App:
temporary enforcements, new HCW and possible hybrid functionality
disruptions*
<https://techcommunity.microsoft.com/blog/exchange/dedicated-hybrid-app-temporary-enforcements-new-hcw-and-possible-hybrid-function/4440682>

for additional guidance as it becomes available.

*Disclaimer:  *

The information in this report is being provided “as is” for informational
purposes only. CISA does not endorse any commercial entity, product,
company, or service, including any entities, products, or services linked
within this document. Any reference to specific commercial entities,
products, processes, or services by service mark, trademark, manufacturer,
or otherwise, does not constitute or imply endorsement, recommendation, or
favoring by CISA.
- to determine if your Microsoft hybrid deployments are potentially
affected and available for a Cumulative Update (CU).
- Install Microsoft’s *April 2025 Exchange Server Hotfix Updates*
<https://techcommunity.microsoft.com/blog/exchange/released-april-2025-exchange-server-hotfix-updates/4402471>
- .
- For organizations using Exchange hybrid (or have previously configured
Exchange hybrid but no longer use it), review Microsoft's Service Principal
Clean-Up Mode
<https://learn.microsoft.com/en-us/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app#service-principal-clean-up-mode>
- for guidance on resetting the service principal’s keyCredentials.
- Upon completion, run the *Microsoft Exchange Health Checker*
<https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/>


Computer Security Incident Response Team - CSIRT
Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC
Universidade Estadual de Campinas - Unicamp
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20250813/61b29821/attachment-0001.html>

Mais detalhes sobre a lista de discussão SECURITY-L