Overview

• Over 29,000 internet-exposed Exchange servers remained unpatched worldwide as of August 12, with the US, Germany and Russia among the hardest hit.
• The high-severity flaw CVE-2025-53786 leverages legacy hybrid identity trust to forge tokens or API calls and escalate on-premises admin privileges into Microsoft 365 undetected.
• Microsoft issued a hotfix in April under its Secure Future Initiative and is urging customers to deploy a dedicated hybrid application and Graph API integration.
• Security experts warn that applying the patch alone is not enough and recommend rotating or resetting service principal credentials, inventorying hybrid configurations and disconnecting unsupported servers.
• Although CISA’s emergency directive legally binds federal agencies, industry groups and vendors are pushing all organizations with hybrid deployments to adopt the same remediation steps.