Thousands of Servers Remain Unprotected Against the Microsoft Exchange Vulnerability, with Approximately 29,000 Unpatched

In a significant cybersecurity development, a vulnerability has been discovered in on-premises Microsoft Exchange servers that could potentially allow attackers with administrative access to escalate privileges in connected Microsoft 365 environments. This vulnerability, tracked as CVE-2025-53786, affects Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition.

The urgency to address this issue has been emphasised by the US Cybersecurity and Infrastructure Security Agency (CISA), which has issued Emergency Directive 25-02 last week, ordering all Federal Civilian Executive Branch agencies to mitigate the flaw by 9:00am EDT on August 11.

Microsoft disclosed the flaw last week and a hotfix was issued in April 2025 under its Secure Future Initiative. The update replaces the insecure shared identity model used between on-premises and cloud Exchange services with a dedicated hybrid application in Microsoft Entra ID.

James Maude, Field CTO at BeyondTrust, explains the importance of visibility in modern hybrid IT environments. He states that the privilege of all identities, human and non-human, is of ever-increasing importance. Elad Luz, head of research at Oasis Security, echoes this sentiment, urging organisations to implement modern identity management practices, strong governance, and proactive security controls to reduce risks associated with non-human identities.

As of recent scans, there are 29,098 vulnerable servers worldwide. Countries with the most vulnerable servers include the US (7296), Germany (6682), Russia (2513), France (1558), UK (955), Austria (928), and Canada (860). However, specific country-by-country data on which countries have the most unpatched Microsoft Exchange Servers vulnerable to CVE-2025-53786 currently online is not available.

Public-facing servers not supported by the April 2025 hotfix should be disconnected. Organisations should inventory their Exchange environments using Microsoft's Health Checker script. The latest cumulative updates (CU14 or CU15 for Exchange 2019, CU23 for Exchange 2016) and the April 2025 hotfix should be applied.

Microsoft has found no evidence of active exploitation so far, but warned that reliable attack code could be developed. Despite the government's deadline, thousands of servers are still exposed, increasing the risk of the vulnerability being weaponized.

NHIs, including AI, are rapidly outpacing human identities in scale and privilege, emphasising the importance of identity management practices. It is crucial for organisations to take immediate action to protect their Exchange servers and connected Microsoft 365 environments from potential cyber threats.

Thousands of Servers Remain Unprotected Against the Microsoft Exchange Vulnerability, with Approximately 29,000 Unpatched