{"id":22755,"date":"2025-10-02T15:46:08","date_gmt":"2025-10-02T08:46:08","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=22755"},"modified":"2026-01-20T10:29:56","modified_gmt":"2026-01-20T03:29:56","slug":"exchange-server-face-security-vulnerability","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/exchange-server-face-security-vulnerability\/","title":{"rendered":"More than 29,000 Exchange servers face a serious security vulnerability that leads to data loss and system takeover"},"content":{"rendered":"<h2 id=\"heading-overview\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Overview<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>On August 11\u201312, 2025<\/strong>, experts identified a critical vulnerability with the identifier:\u00a0<strong>CVE-2025-53786<\/strong>\u00a0found in\u00a0<strong>Microsoft Exchange hybrid<\/strong>\u00a0\u2013 a system combining on-premises Exchange and Exchange Online on Microsoft 365. This vulnerability allows an attacker, if they have gained administrative control over the on-premises Exchange server, to escalate privileges to the cloud environment without leaving traces easily detected by standard Microsoft 365 logging tools.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/1-1756112207.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-22756\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/1-1756112207.jpg\" alt=\"1 1756112207\" width=\"1024\" height=\"534\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/1-1756112207.jpg 1024w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/1-1756112207-700x365.jpg 700w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">According to data from the security monitoring platform Shadowserver, as of August 10, 2025, there are\u00a0<strong>29,098 Exchange servers<\/strong>\u00a0that have not yet been updated to fix this vulnerability. Of these, more than\u00a0<strong>7,200 are in the United States<\/strong>, over\u00a0<strong>6,700 in Germany<\/strong>, and more than\u00a0<strong>2,500 in Russia.<\/strong><\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/2-1756112260.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-22757\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/2-1756112260.jpg\" alt=\"2 1756112260\" width=\"1600\" height=\"663\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/2-1756112260.jpg 1600w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/2-1756112260-700x290.jpg 700w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/a><\/p>\n<h2 id=\"heading-vulnerability-description\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Vulnerability Description<\/strong><\/span><\/h2>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Vulnerability Code:<\/strong>\u00a0CVE-2025-53786<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>CVSS Score:<\/strong>\u00a08.0 (High)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Description:<\/strong>\u00a0<strong>Elevation of Privilege (EoP)<\/strong>\u00a0vulnerability \u2013 allows an attacker to escalate privileges from the on-premises environment to the cloud environment (Exchange Online)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Attack Mechanism:<\/strong>\u00a0Exchange Server and Exchange Online share a\u00a0<strong>service principal<\/strong>\u00a0in the hybrid configuration, creating a trust gap that can be exploited<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-vulnerability-details\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Vulnerability Details<\/strong><\/span><\/h2>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/3-1756112363.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-22758\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/3-1756112363.jpg\" alt=\"3 1756112363\" width=\"1214\" height=\"802\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/3-1756112363.jpg 1214w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/08\/3-1756112363-700x462.jpg 700w\" sizes=\"(max-width: 1214px) 100vw, 1214px\" \/><\/a><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Initially, to exploit the vulnerability, the attacker needs\u00a0<strong>administrative rights on the Exchange server<\/strong>\u00a0(on-premises). Here, they will access the certificate file or export it directly from the on-premises Exchange server (usually stored in the\u00a0<code>Program Files\\Microsoft\\Exchange Server\\V15\\OAuth<\/code>\u00a0directory or in the certificate store).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">After obtaining the\u00a0<strong>\u201cPrivate Key\u201d<\/strong>, the attacker will create a\u00a0<strong>fake OAuth Token<\/strong>\u00a0by using the key to\u00a0<strong>sign a JSON Web Token (JWT)<\/strong>\u00a0in the form of a\u00a0<strong>self-signed client assertion<\/strong>. This JWT will be sent to the\u00a0<strong>Azure AD OAuth 2.0 token endpoint<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Example:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><code>https:\/\/login.microsoftonline.com\/{tenantID}\/oauth2\/token<\/code>).<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Next, with the fake token and by adjusting the\u00a0<strong>&#8220;act-as&#8221; claims<\/strong>\u00a0in the token, the attacker can impersonate any hybrid user account in the cloud (including admin).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Finally, after successfully impersonating a user, the attacker will perform a series of malicious actions they desire:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Read\/write emails from Exchange Online.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Access files from SharePoint\/OneDrive.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Execute remote PowerShell commands on Exchange Online.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Download data, deploy a backdoor in the cloud, or escalate to other SaaS systems integrated with Azure AD.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Recommendations<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>1. Apply the latest patches and hotfixes<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Update immediately<\/strong>\u00a0to:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exchange 2019<\/strong>: Cumulative Update 14 (CU14) or CU15<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exchange 2016<\/strong>: CU23<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53786\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2025-53786 &#8211; Security Update Guide &#8211; Microsoft &#8211; Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Install the\u00a0<strong>April 2025 hotfix<\/strong>\u00a0or a newer update that addresses CVE-2025-53786.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Ensure servers\u00a0<strong>are not using EOL<\/strong>\u00a0(end-of-life) versions.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>2. Revoke and renew OAuth keys<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">If you suspect or know that the on-prem system has been compromised,\u00a0<strong>revoke the old OAuth certificate<\/strong>\u00a0immediately.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Create a new private key and update the hybrid configuration.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Remove any unused keys to reduce the attack surface.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>3. Restrict permissions and separate environments<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Limit on-prem admin rights\u00a0<strong>only to accounts that truly need them<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Separate on-prem admin accounts from cloud admin accounts (do not share them).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Enable\u00a0<strong>Privileged Access Workstation (PAW)<\/strong>\u00a0for administrative accounts.<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Conclusion<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>This campaign shows us how dangerous<\/strong>\u00a0CVE-2025-53786 is, as it allows privilege escalation from Exchange on-premises to Exchange Online without easy detection. More than 29,000 unpatched servers are spread across many countries, and Vietnam is not exempt if organizations or individuals do not update and protect themselves.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Any organization using Exchange hybrid should quickly implement patches to avoid becoming an easy target for cybercriminal groups worldwide.<\/span><\/p>\n<h2 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>References<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-29-000-exchange-servers-unpatched-against-high-severity-flaw\/\" target=\"_blank\" rel=\"noopener nofollow\">Over 29,000 Exchange servers unpatched against high-severity flaw<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/thehackernews.com\/2025\/08\/microsoft-discloses-exchange-server.html\" target=\"_blank\" rel=\"noopener nofollow\">Microsoft Discloses Exchange Server Flaw Enabling Silent Cloud Access in Hybrid Setups<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53786?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener nofollow\">NVD &#8211; CVE-2025-53786<\/a><\/span><\/li>\n<\/ol>\n<table style=\"border-collapse: collapse;width: 100%;height: 24px\">\n<tbody>\n<tr style=\"height: 24px\">\n<td style=\"width: 100%;height: 24px\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by FPT IS Technology Experts<\/strong>\u00a0<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><em>Luu Tuan Anh \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":22759,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[858,712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-22755","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-private-sector-news","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/22755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/22759"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=22755"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=22755"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=22755"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=22755"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=22755"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=22755"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=22755"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=22755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}