**Name of the Vulnerable Software and Affected Versions**

Microsoft Exchange Server (affected versions not specified)

**Description**

This vulnerability affects Microsoft Exchange Server in hybrid deployments. An attacker gaining administrative access to an on-premises Exchange server may be able to escalate privileges and gain unauthorized access to Exchange Online, potentially compromising the cloud environment. Exploitation may occur without generating detectable logs, enabling silent cloud access and hindering traditional auditing methods. The vulnerability stems from a shared service principal between on-premises and Exchange Online environments. Over 28,000 IPs were found unpatched as of August 7, 2025, with the US, Germany, and Russia being the top affected countries. CISA has issued an emergency directive mandating federal agencies to address this vulnerability by August 11, 2025.

**Recommendations**

Install the April 2025 (or later) Hot Fix and implement the changes outlined in the April 18th, 2025 announcement.

Reset service principal credentials.

Run the Exchange Health Checker.

If hybrid Exchange is only used for SMTP relay, recipient management, and migrations, run the mitigation script detailed in the Exchange team blog post from the original announcement.

Consider disconnecting outdated servers.