29,000 Unpatched Servers Still Vulnerable to Microsoft Exchange Flaw
▼ Summary
– Over 29,000 unpatched Microsoft Exchange servers remain vulnerable to CVE-2025-53786, a flaw allowing attackers to control domains in hybrid cloud environments.
– The vulnerability affects Exchange Server 2016, 2019, and Subscription Edition, enabling privilege escalation via forged tokens or API calls.
– Shadowserver scans identified 29,098 exposed servers globally, with the highest numbers in the US, Germany, and Russia.
– CISA issued an emergency directive requiring federal agencies to mitigate the flaw by August 11, including patching and disconnecting vulnerable servers.
– Security experts warn of rapid weaponization if patching is delayed and recommend modern identity management practices to reduce risks.
Thousands of Microsoft Exchange servers remain vulnerable to a critical security flaw that could grant attackers domain-wide access in hybrid cloud setups. Security researchers have identified over 29,000 internet-facing systems still unpatched against CVE-2025-53786, a high-risk vulnerability affecting Exchange Server 2016, 2019, and Subscription Edition versions.
The exploit allows attackers with administrative privileges on local Exchange servers to escalate access across connected Microsoft 365 environments. By manipulating authentication tokens or API requests, threat actors can bypass security checks with minimal forensic traces. “This isn’t just about applying patches, teams must also rotate compromised credentials to fully neutralize the threat,” emphasized Thomas Richards, a senior infrastructure security specialist.
Global scans reveal the highest concentrations of unprotected servers in the United States (7,296), Germany (6,682), and Russia (2,513), with smaller clusters across Europe and North America. Microsoft initially released a fix in April 2025 as part of its Secure Future Initiative, replacing a flawed identity-sharing system with a dedicated hybrid authentication solution in Microsoft Entra ID. While no active attacks have been confirmed, the company warns that weaponized exploits could emerge imminently.
Federal agencies face urgent action deadlines after CISA’s Emergency Directive 25-02 mandated mitigation by August 11. Required steps include auditing Exchange deployments, isolating unpatched public servers, and installing cumulative updates alongside the April hotfix. Private organizations are strongly advised to follow suit.
Security analysts highlight broader risks tied to overlooked service accounts and non-human identities (NHIs) in hybrid environments. “The scale of machine identities now dwarfs human users, yet many lack proper oversight,” noted James Maude, a cybersecurity executive. Experts recommend tightening identity governance, implementing least-privilege controls, and continuously monitoring for anomalous token activity.
With the vulnerability remaining widespread, delays in remediation could lead to rapid exploitation. Elad Luz, a threat research lead, stressed: “Proactive measures like token revocation and API call validation are no longer optional, they’re critical to preventing domain takeover.”
For context on related threats, see our coverage of recent Outlook exploits targeting Exchange servers.
(Source: InfoSecurity Magazine)
