Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability

A vulnerability allowing elevation of privilege has been identified in Microsoft Exchange Server hybrid deployments. This issue arises from specific security implications related to guidance provided by Microsoft on April 18, 2025, aimed at enhancing the security of hybrid Exchange environments. The vulnerability can be addressed by following the steps outlined in the April announcement, which includes installing the latest hot fix and implementing recommended changes in the Exchange Server and hybrid environment.

Impact

Successful exploitation of this vulnerability could allow an attacker with administrative access to an on-premises Exchange server to escalate privileges within the organization's connected cloud environment, potentially leading to unauthorized access or actions without leaving a detectable trace.

Remediation

Users are advised to install the April 2025 (or later) hot fix available through the Microsoft Update Catalog for their respective Exchange Server version. After applying the hot fix, follow the configuration instructions to enable the dedicated Exchange hybrid app feature and reset the service principal's keyCredentials. For those no longer using Exchange hybrid or OAuth authentication with Exchange Online, it's recommended to reset the service principal's keyCredentials.