CVE-2025-53786

8.0 HIGH

On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix

Published: 2025-08-06 · Last updated: 2026-06-15

Severity and scoring

CVSS: 8.0 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-287

Affected products

Vendor	Product
microsoft	exchange_server, exchange_server_subscription_edition

Description

On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-53786
[Vendor advisory]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786

Related CVEs

Same vendor

CVE-2026-50512 — Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privilege... (7.8 HIGH)
CVE-2026-50511 — Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privilege... (7.8 HIGH)
CVE-2026-50507 — Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack (6.8 MEDIUM)
CVE-2026-49161 — Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally (7.8 HIGH)
CVE-2026-49160 — Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network (7.5 HIGH)

Same CWE

CVE-2026-48780 — Forem is open source software for building communities (8.2 HIGH)
CVE-2026-48114 — Metacat is data repository software that helps researchers preserve, share, and discover data (9.8 CRITICAL)
CVE-2026-12183 — Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerabili... (9.8 CRITICAL)
CVE-2026-50623 — An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF (4.8 MEDIUM)
CVE-2026-48611 — Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading t... (9.8 CRITICAL)