More than 29,000 Microsoft Exchange servers exposed to the internet have remained unpatched against a high-severity vulnerability that could allow attackers to seize control of entire domains in hybrid cloud environments.
The flaw, tracked as CVE-2025-53786, affects Exchange Server 2016, Exchange Server 2019 and Microsoft Exchange Server Subscription Edition. It enables attackers with administrative access to on-premises Exchange servers to escalate privileges in connected Microsoft 365 environments by forging trusted tokens or API calls, a method that leaves few traces.
“This is a serious vulnerability in Exchange and security teams should give it immediate attention,” said Thomas Richards, infrastructure security practice director at Black Duck.
“Patching the server is not enough, and since it is difficult to detect compromise, Microsoft has provided actions for teams to take to make sure any compromised trust tokens are rotated.”
Recent scans by threat monitoring group Shadowserver found 29,098 vulnerable servers worldwide. The most significant numbers are in:
-
US: 7296
-
Germany: 6682
-
Russia: 2513
-
France: 1558
-
UK: 955
-
Austria: 928
-
Canada: 860
Microsoft disclosed the flaw last week, though a hotfix was issued in April 2025 under its Secure Future Initiative. This update replaced the insecure shared identity model used between on-premises and cloud Exchange services with a dedicated hybrid application in Microsoft Entra ID.
The company has found no evidence of active exploitation so far, but warned that reliable attack code could be developed.
Read more on Microsoft Exchange security risks: Russian APT28 Exploits Outlook Bug to Access Exchange
CISA Orders Urgent Federal Action
The US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-02 last week, ordering all Federal Civilian Executive Branch agencies to mitigate the flaw by 9:00am EDT on August 11.
“This vulnerability poses a grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance, and immediate mitigation is critical,” CISA said.
Agencies must:
-
Inventory their Exchange environments using Microsoft’s Health Checker script
-
Disconnect any public-facing servers not supported by the April 2025 hotfix, including end-of-life versions
-
Apply the latest cumulative updates (CU14 or CU15 for Exchange 2019, CU23 for Exchange 2016) and install the April 2025 hotfix
“In modern hybrid IT environments, there can often be hidden paths to privilege opened up by often long-forgotten service accounts,” explained James Maude, field CTO at BeyondTrust.
“Having visibility of the true privilege of all identities, human and non-human, is of ever-increasing importance as NHIs, including AI, rapidly outpace human identities in scale and privilege.”
Risks Beyond Government Systems
Although the directive is binding only for federal agencies, CISA urged all organisations to follow the same process. Security experts have also urged caution.
“To reduce the risks associated with non-human identities, security teams need to implement modern identity management practices, strong governance and proactive security controls,” said Elad Luz, head of research at Oasis Security.
With thousands of servers still exposed just hours before the government’s deadline, experts warn the flaw could be weaponised quickly if patching and security measures are delayed.
Image credit: gguy / Shutterstock.com
No tags.
