Microsoft has confirmed a serious flaw in hybrid Exchange setups that could let hackers move from on-prem servers into cloud environments without being seen. This vulnerability, tagged CVE‑2025‑53786, has big implications for identity safety.
One Hybrid Exchange vulnerability affects cloud-linked identity

At the core of the issue is a shared identity connection between Exchange Online and on-prem servers. When this bridge is exploited, attackers with admin access can fake tokens or cloud calls, skipping logs entirely. As a result, they can gain wide access to systems without leaving behind a trace.
Still using hybrid? Here’s what to do now
To stay safe, Microsoft recommends immediate action:
- Apply the April 2025 or newer updates
- Switch to the dedicated Exchange hybrid app
- Reset shared identity credentials (‘keyCredentials’)
- Use the Health Checker to confirm changes
In addition, CISA now demands that U.S. agencies disconnect unsupported on-prem Exchange or SharePoint servers from the internet. Agencies must patch vulnerable setups before August 15.
One Hybrid Exchange flaw hides in trusted channels
Unlike most hacks, this one doesn’t need malware. It uses trust. Since cloud systems still “trust” old hybrid links, a skilled attacker can slip past modern defenses. This puts identity, email, and admin roles at risk.
Why does this vulnerability hit harder than most
Hybrid setups were designed to help move users to the cloud. But in this case, they create a quiet path for attacks. And that path is built on outdated trust that few people think to check.
One Hybrid Exchange flaw demands a new mindset
Moving forward, shared trust models won’t cut it. As Microsoft shifts to better defenses, companies must drop legacy paths before they’re used against them.