Microsoft has released the August 2025 Security Updates (SUs) for Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). These cumulative updates address multiple vulnerabilities and introduce default security hardening, and they explicitly include the capability required for on‑premises Exchange to support and use the dedicated Exchange hybrid app needed to mitigate CVE-2025-53786.

Instant detection of emerging threats for Exchange Server

FREE FOR 30 DAYS →

FEATURED SECURITY PRODUCT, powered by Messageware

What’s in the August 2025 SUs

  • Cumulative SUs for Exchange Server 2016, 2019, and SE, available for supported CUs, with Microsoft recommending immediate installation to protect environments.
  • AMSI “HTTP message body” scanning is enabled by default for all protocols beginning with the August 2025 SU, building on enhancements introduced in November 2024.
  • Administrators should plan for potential performance impact from AMSI body scanning and review documentation if tuning is required.

CVE-2025-53786: Addressed via Dedicated Hybrid App Support

  • The August 2025 SUs “contain the ability for Exchange Server on-premises to support the use of [the] dedicated Exchange hybrid app,” which is the configuration path Microsoft requires to mitigate CVE-2025-53786 in hybrid deployments.
  • CVE-2025-53786 is an elevation-of-privilege risk in Exchange hybrid environments that can allow an attacker with administrative access to an on-premises Exchange server to escalate privileges in Exchange Online without easily detectable audit traces, due to shared service principal usage in legacy configurations.
  • Security vendors and patch analyses confirm August 2025 includes coverage for CVE-2025-53786 alongside other Exchange CVEs, with remediation requiring both installing the SU and completing the dedicated hybrid app configuration.

Why this matters

  • Hybrid coexistence features historically relied on EWS using the Exchange Online shared service principal; moving to a dedicated hybrid app reduces this attack surface and closes the core weakness cited in CVE-2025-53786.
  • Microsoft has begun staged, temporary EWS traffic blocks to the shared service principal to accelerate adoption, with permanent blocking planned after October 31, 2025, affecting free/busy, MailTips, and profile picture sharing when not migrated.
  • CISA highlights CVE-2025-53786 as a high-severity risk to identity integrity in Exchange Online if left unaddressed, urging organizations to follow Microsoft’s guidance for hybrid deployments.

Required actions

  • Install the August 2025 SU on all Exchange servers and workstations with Exchange Management Tools to maintain compatibility and protection.
  • If in hybrid, transition to the dedicated Exchange hybrid app:
    • Use the updated Hybrid Configuration Wizard (HCW) to create and configure the dedicated app in Microsoft Entra ID with required permissions and certificates.
    • Complete activation by creating the required Setting Override as documented; HCW alone prepares but does not enable the feature.
  • If the authentication certificate is changed after installing an SU, re-run HCW to ensure configuration remains consistent.
  • For organizations that previously used hybrid or OAuth but no longer do, reset keyCredentials on the legacy shared service principal to remove residual trust.

Notes and FAQs

  • Are August 2025 SUs cumulative? Yes—install the latest SU applicable to the supported CU; no need to chain older SUs.
  • Do Exchange Online-only tenants need action? Exchange Online is already protected, but any on‑prem Exchange servers or management-only hosts in the environment should still be updated.
  • Does the SU alone mitigate CVE-2025-53786? The SU enables on‑prem support for the dedicated hybrid app; full mitigation requires completing Microsoft’s dedicated hybrid app configuration steps.

Additional context

  • Microsoft’s dedicated hybrid app guidance is part of broader Exchange Server security changes for hybrid deployments, with HCW updates released to simplify adoption.
  • Industry coverage corroborates Microsoft’s position and timelines, emphasizing the need to move away from the shared service principal and prepare for permanent EWS blocking for that principal after October 31, 2025.

By installing the August 2025 SUs and completing the dedicated hybrid app migration, hybrid Exchange environments address the core pathway exploited by CVE-2025-53786 and align with Microsoft’s phased enforcement strategy to harden hybrid connectivity.

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.