Over 29,000 Exchange servers exposed online remain unpatched against a high-severity vulnerability that can let attackers move laterally in Microsoft cloud environments, potentially leading to complete domain compromise.
The security flaw (tracked as CVE-2025-53786) helps threat actors who gain administrative access to on-premises Exchange servers to escalate privileges within the organization's connected cloud environment by forging or manipulating trusted tokens or API calls, without leaving easily detectable traces and making it hard to detect exploitation.
CVE-2025-53786 affects Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition, which replaces the perpetual license model with a subscription-based one, in hybrid configurations.
The flaw was disclosed after Microsoft released guidance and an Exchange server hotfix in April 2025 as part of its Secure Future Initiative, which supports a new architecture using a dedicated hybrid app that replaces the insecure shared identity previously used by on-premises Exchange Server and Exchange Online.
While Redmond has not yet found evidence of abuse in attacks, the vulnerability was still tagged as "Exploitation More Likely" because Redmond considers that exploit code allowing consistent exploitation could be developed, increasing its attractiveness to attackers.
According to scans from the security threat monitoring platform Shadowserver, more than 29,000 Exchange servers are still unpatched against potential CVE-2025-53786 attacks.
Out of a total of 29,098 unpatched servers detected on August 10, over 7,200 IP addresses were found in the United States, more than 6,700 in Germany, and over 2,500 in Russia.
Unpatched Exchange servers (Shadowserver)
Federal agencies ordered to mitigate over the weekend
One day after Microsoft disclosed the vulnerability, CISA issued Emergency Directive 25-02, ordering all Federal Civilian Executive Branch (FCEB) agencies, including the Department of Homeland Security, the Department of the Treasury, and the Department of Energy, to mitigate this high-severity Microsoft Exchange vulnerability by Monday at 9:00 AM ET.
... continue reading