CVE-2025-53786 is a high-severity vulnerability affecting Microsoft Exchange servers, allowing attackers to move laterally within Microsoft cloud environments and potentially compromise entire domains. Currently, approximately 29,000 Exchange servers remain unpatched, leaving organizations exposed to significant risk. Review the information in this Cybersecurity Threat Advisory to make sure your environment is secure.
What is the threat?
CVE-2025-53786 enables threat actors to escalate privileges within an organization’s connected cloud environment after gaining admin access to on-premises Exchange servers.
Attackers achieve this by manipulating or replicating trusted tokens and API calls — often without leaving clear traces, making detection extremely difficult. Security researchers warn that simply patching affected servers is not enough to fully mitigate the risk. As a precaution, Microsoft has begun rotating potentially compromised tokens, recognizing the need for broader remediation beyond traditional patching.
Why is it noteworthy?
The CVE-2025-53786 vulnerability affects Microsoft Exchange Server 2016, 2019, and the Subscription Edition — which replaces the traditional perpetual license model with a subscription-based approach — in hybrid configurations. This vulnerability affects all unpatched on-premises Exchange servers, including end-of-life versions that administrators should have already disconnected from active environments.
What is the exposure or risk?
As of August 10, approximately 29,000 Microsoft Exchange servers remain unpatched, according to recent scans by the threat monitoring platform Shadowserver. Of these, over 7,200 IP addresses were located in the United States, more than 6,700 in Germany, and over 2,500 in Russia — underscoring the global scale of the exposure.
A successful exploitation allows attackers to gain unauthorized access, steal sensitive data, and move laterally within affected networks, resulting in widespread compromise, especially in environments where patching and access controls are not strictly enforced.
What are the recommendations?
Barracuda recommends the following steps to mitigate the impact of CVE-2025-53786:
- Take inventory of your Exchange environments using Microsoft’s Health Checker script.
- Remove unsupported public-facing servers from the internet before the April 2025 hotfix deadline.
- Update all remaining servers with the latest patches (CU14 or CU15 for Exchange 2019, and CU23 for Exchange 2016) as well as Microsoft’s April hotfix.
References
For more in-depth information on the above recommendations, please visit the following links:
- https://www.infosecurity-magazine.com/news/servers-unpatched-microsoft/
- https://cybernews.com/security/thousands-microsoft-exhange-servers-left-unprotected/
- https://www.bleepingcomputer.com/news/security/over-29-000-exchange-servers-unpatched-against-high-severity-flaw/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.