A critical vulnerability in Microsoft Exchange Server remains unpatched on nearly 30,000 systems worldwide, raising concerns about potential exploitation in hybrid cloud environments.

The vulnerability, tracked as CVE-2025-53786, affects Exchange 2016, Exchange 2019 and Exchange Server Subscription Edition in hybrid configurations with Exchange Online. The vulnerability allows attackers with administrator access to an on-premises server to escalate privileges in the connected cloud environment, potentially compromising the entire domain.

According to the Shadowserver Foundation, the exact number of Exchange servers exposed to the vulnerability as of Aug. 10 was 29,098. The highest concentrations were found to be in the U.S. (more than 7,200) followed by Germany (6,700) and Russia (2,500), with thousands more in France, and the U.K., Austria and Canada were also exposed.

Underlining the severity of the issue, the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 25-02 on Aug. 7 for federal agencies, requiring immediate mitigation. Agencies have been ordered to inventory Exchange environments using Microsoft’s Health Checker script, disconnect unsupported servers exposed to the internet, apply a hotfix and the latest cumulative updates and implement Microsoft’s guidance for a dedicated hybrid app to replace insecure shared service principals.

The hotfix mentioned in the CISA guidance refers to an update issued by Microsoft in April which, at the time, was presented as an architectural change to improve hybrid identity security by encouraging use of a “dedicated hybrid app.” Microsoft itself only officially documented the vulnerability on Aug. 6.

Given the severity of the vulnerability and potential risks, cybersecurity experts are also urging those with Exchange servers to take action.

“This is a serious vulnerability in Exchange and security teams should give it immediate attention,” Thomas Richards, infrastructure security practice director at application security software provider Black Duck Software Inc., told SiliconANGLE via email.

“Patching the server is not enough and since it is difficult to detect compromise, Microsoft has provided actions for teams to take to make sure any compromised trust tokens are rotated,” explained Richards. “This is essential for teams to follow for a full remediation and to ensure uncompromised trust in software. If the system is unpatched, CISA has warned of a complete compromise of Exchange and Active Directory being possible. If compromised, it could cause a detrimental impact on business operations.”

Image: SiliconANGLE/Reve