**Name of the Vulnerable Software and Affected Versions:**

Microsoft Exchange Server versions prior to the April 2025 Hot Fix.

**Description:**

A critical elevation of privilege vulnerability exists in Microsoft Exchange Server hybrid deployments. This flaw allows attackers who have gained administrative access to an on-premises Exchange Server to escalate their privileges and potentially compromise cloud environments, including Microsoft 365. The vulnerability stems from a shared service principal used between on-premises and online Exchange environments, enabling attackers to forge trusted tokens for cloud access without generating logs, making detection difficult. Over 29,000 Exchange servers were reported as unpatched and vulnerable as of August 7, 2025. CISA issued an emergency directive mandating federal agencies to patch systems by August 11, 2025.

**Recommendations:**

Apply the April 2025 (or later) Hot Fix and implement the changes documented in the April 18th, 2025 announcement. For hybrid deployments, consider rearchitecting identity boundaries to mitigate the risk of privilege escalation. If you are running hybrid Exchange, ensure you apply the latest security updates and, if applicable, run the mitigation script.