- Microsoft sounded the alarm on a hybrid Exchange bug in early August 2025
- However almost 30,000 instances remain vulnerable
- Microsoft has advised users how to defend their endpoints, so patch now
Almost a week after Microsoft publicized finding and patching a dangerous, high-severity flaw in hybrid Exchange deployments, experts have warned thousands of endpoints remain vulnerable.
The Shadowserver Foundation, a nonprofit organization dedicated to empowering the cybersecurity community, claims 29,000 Exchange servers remain unpatched and exposed online, basically inviting threat actors to break in and cause trouble.
Matters could be even worse as activity from on-prem Exchange doesn’t always generate logs associated with malicious behavior in Microsoft 365, which could result in cyberattacks not being spotted via cloud-based auditing.
Escalating privileges
Microsoft has urged customers to be on high alert for an “improper authentication bug”, which could allow threat actors with admin access to an on-prem Exchange Server to escalate privileges into the connected Exchange Online environment due to trust flaws in shared service principal configurations.
Of the affected servers, 7,200 are located in the United States, 6,700 are in Germany, and around 2,500 are in Russia.
A hybrid Microsoft Exchange deployment combines on-premises Exchange servers with Exchange Online in Microsoft 365, allowing them to work together as one system. It lets organizations support seamless email, calendar, and contact sharing across both environments.
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft said. Both Exchange Server 2016 and Exchange Server 2019 are affected, and so is Microsoft Exchange Server Subscription Edition.
Even though there is no evidence of abuse in the wild yet, Microsoft has urged its customers to apply April 2025 hotfixes, transition to the dedicated Exchange Hybrid app, and reset the shared service principal’s credentials to mitigate the risk.
Via BleepingComputer