The overall lesson, he added, is to move away from Exchange on-premises. “This product has become harder and harder to maintain,” he argued, “and Microsoft’s cloud solutions are an adequate alternative. This vulnerability does not add substantial risk and should not be treated as an emergency. Keeping Exchange patched and configured well is not easy, and must be done with careful testing.”
The vulnerability, CVE-2025-53786, stems from Microsoft’s April 18 release of Exchange Server Security Changes for Hybrid Deployments and the accompanying non-security HotFix, which were intended to improve the security of hybrid Exchange deployments.
Following further investigation, Microsoft said, it identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft also credited the efforts of Dutch researcher Dirk-jan Mollema, head of Outsider Security.
