“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft has announced on Wednesday. The privilege escalation can be performed by exploiting CVE-2025-53786, a newly disclosed vulnerability that stems from Exchange Server and Exchange Online sharing the same service principal – i.e., the Office 365 Exchange Online application – in … More

The post Microsoft urges admins to plug severe Exchange security hole (CVE-2025-53786) appeared first on Help Net Security.