{"id":14585,"date":"2025-08-07T18:46:30","date_gmt":"2025-08-07T18:46:30","guid":{"rendered":"https:\/\/newestek.com\/?p=14585"},"modified":"2025-08-07T18:46:30","modified_gmt":"2025-08-07T18:46:30","slug":"hybrid-exchange-environment-vulnerability-needs-fast-action","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14585","title":{"rendered":"Hybrid Exchange environment vulnerability needs fast action"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Administrators with hybrid Exchange Server environments are urged by Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) to quickly plug a high-severity vulnerability or risk system compromise.<\/p>\n<p>Hybrid Exchange deployments offer organizations the ability to extend the user features and admin controls of the on-prem version of Exchange within Microsoft 365. Hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization, Microsoft said.<\/p>\n<p>The benefits include secure mail routing between on-premises and Exchange Online organizations, mail routing with a shared domain namespace (for example, both on-premises and Exchange Online organizations use the\u00a0@contoso.com\u00a0SMTP domain) and calendar sharing between on-premises and Exchange Online organizations.<\/p>\n<p>To exploit the vulnerability, an attacker has to first gain administrative access to an on-premises Exchange server. From there, however, the vulnerability could allow the hacker to escalate privileges within the organization\u2019s connected cloud environment without leaving easily detectable and auditable traces,<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53786\" target=\"_blank\" rel=\"noreferrer noopener\"> Microsoft warned in a security update<\/a>.<\/p>\n<p>\u201cThis risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations,\u201d the update explained. A service principal is an identity used to control application access and the resources the application accesses.<\/p>\n<p>To protect this hybrid environment, administrators should:<\/p>\n<ul class=\"wp-block-list\">\n<li>if they haven\u2019t already done so, install the\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/released-april-2025-exchange-server-hotfix-updates\/4402471\" target=\"_blank\" rel=\"noreferrer noopener\">Hot Fix<\/a>\u00a0released April 18 \u2014 or any newer release \u2014 on their on-premises Exchange servers and follow the configuration instructions outlined in the document\u00a0<em><a href=\"https:\/\/aka.ms\/ConfigureExchangeHybridApplication-Docs\" target=\"_blank\" rel=\"noreferrer noopener\">Deploy dedicated Exchange hybrid app<\/a><\/em>. For additional details, they should refer to\u00a0<em><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/exchange-server-security-changes-for-hybrid-deployments\/4396833\" target=\"_blank\" rel=\"noreferrer noopener\">Exchange Server Security Changes for Hybrid Deployments<\/a><\/em>;<\/li>\n<li>then <a href=\"https:\/\/aka.ms\/ConfigureExchangeHybridApplication-Docs#service-principal-clean-up-mode\" target=\"_blank\" rel=\"noreferrer noopener\">reset the service principal\u2019s keyCredentials<\/a>. That reset should be performed even if they\u2019ve previously configured Exchange hybrid or\u00a0<a href=\"https:\/\/learn.microsoft.com\/exchange\/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help\" target=\"_blank\" rel=\"noreferrer noopener\">OAuth authentication between Exchange Server and their Exchange Online organization<\/a> and no longer use it;<\/li>\n<li>then run the\u00a0<a href=\"https:\/\/microsoft.github.io\/CSS-Exchange\/Diagnostics\/HealthChecker\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Exchange Health Checker<\/a>\u00a0to determine whether further steps are required.\u00a0\u00a0<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/08\/06\/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments\" target=\"_blank\" rel=\"noreferrer noopener\">CISA also highly recommends <\/a>that admins disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be disconnected if still in use.\u00a0\u00a0\u00a0<\/p>\n<p><a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noreferrer noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute, noted that this issue only affects organizations that run Exchange on premises in hybrid mode. \u201cPast vulnerabilities and ongoing guidance from Microsoft have motivated many organizations to abandon on-premises Exchange in favor of cloud solutions,\u201d he told CSO in an email. \u201cThe number of organizations still running Exchange on premises is getting smaller and smaller.\u201d<\/p>\n<p>In order to exploit the vulnerability, he added, an attacker first must get admin rights on the on-premises Exchange server. \u201cHaving an attacker with admin rights is always a bad thing, and I am not sure this vulnerability increases the risk much,\u201d he said. \u201cIt makes it easier to pivot into the organization\u2019s cloud presence, but a patient attacker may learn what they need to get access just by observing Exchange traffic.\u201d<\/p>\n<p>The overall lesson, he added, is to move away from Exchange on-premises. \u201cThis product has become harder and harder to maintain,\u201d he argued, \u201cand Microsoft\u2019s cloud solutions are an adequate alternative. This vulnerability does not add substantial risk and should not be treated as an emergency. Keeping Exchange patched and configured well is not easy, and must be done with careful testing.\u201d<\/p>\n<p>The vulnerability, CVE-2025-53786, stems from Microsoft\u2019s April 18 release of\u00a0<em><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/exchange-server-security-changes-for-hybrid-deployments\/4396833\" target=\"_blank\" rel=\"noreferrer noopener\">Exchange Server Security Changes for Hybrid Deployments<\/a><\/em>\u00a0and the accompanying non-security\u00a0HotFix, which were intended to improve the security of hybrid Exchange deployments.<\/p>\n<p>Following further investigation, Microsoft said, it identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft also credited the efforts of Dutch researcher \u00a0<a href=\"https:\/\/outsidersecurity.nl\/\" target=\"_blank\" rel=\"noreferrer noopener\">Dirk-jan Mollema<\/a>, head of Outsider Security.<\/p>\n<p>Separately, Exchange admins should also note that, <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/dedicated-hybrid-app-temporary-enforcements-new-hcw-and-possible-hybrid-function\/4440682\" target=\"_blank\" rel=\"noreferrer noopener\">starting this month, Microsoft will begin temporarily blocking Exchange Web Services (EWS) traffic<\/a> using the Exchange Online shared service principal. By default it is used by some coexistence features in hybrid scenarios. This is a part of a phased strategy to speed up customer adoption of the dedicated Exchange hybrid app, Microsoft said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Administrators with hybrid Exchange Server environments are urged by Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) to quickly plug a high-severity vulnerability or risk system compromise. Hybrid Exchange deployments offer organizations the ability to extend the user features and admin controls of the on-prem version of Exchange within Microsoft 365. Hybrid deployment can serve as an intermediate step to moving completely to&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14585\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14585","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14585"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14585\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}