RCE Flaw (CVE-2025-21692) in the Linux Kernel - CyberDudeBivash Deep Dive — Author: Bivash Kumar Nayak

-


 Published: Sept 2025 — Expanded analysis, detection, and mitigations

Executive summary (expanded)

CVE-2025-21692 is an out-of-bounds indexing bug in the Linux kernel’s ETS qdisc code path (net/sched/ets.c), specifically in ets_class_from_arg(). When fed a crafted class ID (clid) of 0, the function may perform an OOB access, enabling memory corruption. Public exploit proofs-of-concept demonstrate that in many kernel builds this memory corruption can be turned into arbitrary kernel memory read/write, privilege escalation, and local code execution — enabling full host compromise, container escapes, or hypervisor compromise if host is a multi-tenant environment.

Why this matters immediately:

  • PoC code is public and mature.

  • Attackers only need local code execution (a low bar in CI/build hosts, multi-tenant VPS, compromised user accounts).

  • The exploit affects wide kernel ranges (many distros backported patches).

  • Impact expands beyond LPE: container escapes, host takeover, supply-chain pivot via developer machines.

Top actions (prioritized):

  1. Patch kernels now (see vendor advisories).

  2. Limit who can perform netlink/qdisc operations — drop capabilities like CAP_NET_ADMIN in containers and untrusted user contexts.

  3. Hunt for kernel OOPS/dmesg signatures, unusual use of tc/netlink by non-privileged users, and PoC Git clones on hosts.

1. Vulnerability technical analysis — deep

1.1 The component: ETS qdisc in Linux

ETS (Enhanced Transmission Selection) is a qdisc scheduler used for traffic shaping and QoS. It maintains classes and class identifiers (clid) internally. The kernel exposes configuration APIs via netlink (the tc userland uses netlink messages to manipulate qdiscs and classes).

ets_class_from_arg() takes user-supplied parameters and resolves them to internal class structures. The root of CVE-2025-21692: inadequate validation when clid equals 0; the logic allows indexing into internal arrays using zero as an index (or computed offset) that lands outside bounds, leading to read or write to arbitrary kernel memory structure slots.

1.2 Memory corruption mechanics

  • Out-of-bounds read/write — depending on how clid is used, kernel reads or writes an array element beyond intended boundaries.

  • Heap vs stack — ETS uses class structs allocated in kernel memory pools; OOB can corrupt neighboring objects or metadata.

  • Exploit primitives — attackers can leverage predictable kernel heap shapes to:

    • Overwrite function pointers or ops tables referenced by nearby objects.

    • Overwrite reference counts or pointers to create controlled arbitrary write chains.

    • Create arbitrary read primitives by corrupting length fields or pointers.

1.3 From corruption to control — exploitation chain patterns

Research PoCs demonstrate patterns:

  1. Heap grooming — allocate controlled kernel objects (via sockets, netlink, exploit helper syscalls) to position target objects adjacent to arrays indexed OOB.

  2. Trigger OOB write — call the vulnerable API with crafted clid and parameters so the kernel writes attacker-controlled data into neighboring structure fields.

  3. Hijack pointer — overwrite a callback pointer or ops struct so that a later benign kernel operation invokes controlled pointers.

  4. Arbitrary kernel R/W — use hijacked pointer to perform reads/writes to arbitrary kernel addresses.

  5. Privilege escalation — patch credential structs (task_struct->cred) or overwrite init_task pointers to set uid=0 or link to kernel shellcode, or install rootkit module. More modern proofs use kernel R/W to patch commit_creds/prepare_kernel_cred or set capabilities on current process.

  6. Persistence & escape — install kernel modules (if allowed) or modify boot scripts; on container hosts, inject into host namespaces to escape.

1.4 Exploit complexity

  • Moderate technical skill but not astronomical: requires kernel knowledge for grooming and ASLR bypass. Public PoCs have reduced complexity for widespread weaponization.

  • Many cloud/CI hosts run kernels that are either unpatched or within vulnerable ranges; threat actors adapt PoCs into commodity exploit packages.

2. Affected kernel range and vendor mapping

(Always verify with vendor advisories for exact package names and the fix versions.)

High-level mapping:

  • Upstream proofed vulnerable across kernels <= ~6.13.x (exact range depends on backports). Some older kernels (5.x series) are also vulnerable before patches.

  • Distros responded with advisories (examples, not exhaustive):

    • Ubuntu: Security notice with patched kernel package versions — prioritize HWE and LTS kernels.

    • Red Hat: RHSA advisory with backport patches for RHEL 8/9 kernels and derivatives (CentOS Stream, Rocky, Alma).

    • SUSE: SLES patches and recommended kernel updates.

    • Debian: Stable/oldstable updated kernel debs as backports.

Special considerations:

  • Cloud images (AWS AMI, Azure images, GCP images) may use distro kernels or custom kernels — check with your cloud provider for image patches.

  • Embedded and vendor kernels may be different — appliances and network devices may or may not be affected depending on kernel code presence and qdisc feature sets.

Vendor timeline (illustrative):

  • Discovery reported privately to kernel maintainers early 2025.

  • Upstream patch merged and publicized.

  • Distros released advisories weeks later; PoC appeared publicly shortly after patches.

  • Attackers start scanning for vulnerable kernels and proof-of-concept integration.

3. Practical exploit scenarios and risk models

3.1 CI/CD runners and build infrastructure

  • Risk: High. Runners execute untrusted code (third-party PRs, packages).

  • Attack: Malicious PR triggers PoC run in a runner; PoC gains host kernel access and escapes to host, stealing secrets (build keys, credentials), implanting backdoors into build artifacts.

  • Mitigations: Isolate runners, run in ephemeral VMs with isolated kernels, drop CAP_NET_ADMIN from container runtime, enforce network egress controls.

3.2 Multi-tenant cloud hosts

  • Risk: Extreme. Local kernel exploit could allow cross-tenant compromise.

  • Attack: VM escape or container breakout; root on host -> traverse to other tenants.

  • Mitigations: Patch host kernels ASAP, require hardware virtualization features and microVM isolation (Firecracker), restrict access to hosts, monitor for kernel OOPS.

3.3 Developer workstations

  • Risk: High to medium. Developers have SSH keys / pipeline access.

  • Attack: Phishing leads to user-level code execution, then kernel exploit escalates to root, allowing access to code repos, build keys.

  • Mitigations: Rapid patching on workstations, endpoint EDR, restrict sudo access, enforce disk encryption and secure key management.

3.4 Containers and orchestration

  • Risk: High. Containers often run with added network capabilities.

  • Attack: Containers with CAP_NET_ADMIN or CAP_SYS_ADMIN can trigger qdisc manipulations.

  • Mitigations: Remove unnecessary capabilities, avoid privileged containers, use security contexts, implement pod security policies (PSP/OPA/Gatekeeper), use gVisor/Firecracker for additional isolation.

4. Detection: what to hunt for (SOC playbook)

4.1 High-value logs and telemetry

  • Kernel logs: dmesg, journalctl -k, audit logs indicating BUG, Oops, panic, stack traces referencing ets_class_from_arg, sch_ets, net/sched/ets.c.

  • Netlink / TC usage: Audit netlink messages, tc invocations, or direct setsockopt/ioctl calls that create qdiscs / classes — flag those from non-root UIDs or unusual processes.

  • Process activity: Unexpected tc or ip commands executed by user shells; unusual git clone of PoC repos; building of kernel modules.

  • Behavioral changes: sudden spawn of insmod/modprobe, new kernel modules, suspicious ld.so loads, sudden root shells.

  • Filesystem changes: new binaries in /tmp, /var/tmp, /dev/shm that correlate with times of netlink activity.

  • Container runtime logs: container execs with network capability drops/changes.

4.2 Search queries (EDR/SIEM)

  • process_name:tc OR process_name:iproute2 AND user != root

  • dmesg: "ets_class_from_arg" OR "sch_ets" OR "net/sched/ets.c"

  • auditd: netlink_request AND (RTM_NEWQDISC OR RTM_NEWTCLASS)

  • file_created:*/tmp/poC* OR /tmp/.*cve.*21692*

  • process_exec:insmod OR modprobe within 5 minutes of netlink activity

4.3 Sigma detection templates (examples)

(Adapt to your SIEM syntaxes; these are pseudo-Sigma-style rules.)

Sigma: netlink qdisc from non-root

title: Unprivileged netlink qdisc operation
id: cdb-netlink-unprivileged-21692
logsource:
  product: linux
detection:
  selection:
    EventID: Netlink
    NetlinkType: RTM_NEWTCLASS
    UserID: '*'
    UserID|not_in: ['root', '0']
  condition: selection
level: high

Sigma: Kernel OOPS referencing ets

title: Kernel OOPS referencing ets (possible exploit)
id: cdb-kernel-oops-ets
logsource:
  product: linux
detection:
  selection:
    Message|contains:
      - "ets_class_from_arg"
      - "sch_ets"
      - "net/sched/ets.c"
  condition: selection
level: high

4.4 YARA (host artifact detection)

Detect PoC code/artifacts or strings in downloaded PoC repos:

rule cve_2025_21692_poc_artifacts
{
  meta:
    author = "CyberDudeBivash"
    cve = "CVE-2025-21692"
  strings:
    $a = "ets_class_from_arg"
    $b = "sch_ets"
    $c = "CVE-2025-21692"
  condition:
    any of ($a,$b,$c)
}

4.5 Forensic capture checklist (if suspected)

  • Full dmesg and journalctl -k outputs.

  • ps -ef, lsof -nP, netstat -tunap.

  • Auditd logs and netlink logs.

  • Container runtime logs (docker/containerd/kubelet).

  • Memory capture (LiME) if possible — kernel memory holds exploitation artifacts.

  • Copy of /tmp, /var/tmp, /dev/shm, and any modules installed: /lib/modules/* for modified module timestamps.

  • List of loaded kernel modules lsmod and last modified times.

5. Detailed mitigations — immediate to long term

5.1 Immediate combative measures (within hours)

  1. Apply vendor patches — BEST and FIRST action.

  2. Block untrusted local vectors:

    • For multi-tenant systems and CI/builds, temporarily disallow untrusted users from performing qdisc operations.

    • Implement firewall/iptables rules to prevent remote exploitation vectors (if any management interfaces expose netlink over network).

  3. Contain executables: block or quarantine hosts that show netlink activity from non-root users or kernel OOPS.

  4. Audit containers: identify containers with CAP_NET_ADMIN or CAP_SYS_ADMIN and reduce privileges.

5.2 Short-term operational changes (days)

  • Rebuild critical VMs/hosts from trusted images after patching if you suspect compromise.

  • Rotate secrets accessible from any newly compromised hosts.

  • Temporarily tighten apt/yum repositories and disable direct building on shared runners.

5.3 Long-term hardening (weeks → months)

  • Privilege minimization: ensure minimal capabilities for workload containers; use fine-grained seccomp/BPF filters to deny netlink family syscalls for workloads that don’t require them.

  • Kernel hardening: enable KASLR (where possible), kernel lockdown, ebpf-based or BPF LSM policies to block suspicious netlink message patterns.

  • Immutable images: CI workloads should run ephemeral VMs or microVMs (gVisor/Firecracker) rather than privileged containers on host kernels.

  • Process capability enforcement: use filesystem labels, SELinux/AppArmor profiles to restrict binary capabilities.

  • Monitoring & telemetry: implement continuous kernel log monitoring and netlink instrumentation.

  • Threat intel & patch cadence: automated CVE ingest and emergency patch pipelines for kernels.

6. Container & orchestration practical controls (recipes)

6.1 Kubernetes PodSecurity and runtime restrictions

  • Pod spec: ensure securityContext.capabilities.drop: ["NET_ADMIN", "SYS_ADMIN"] unless absolutely required.

  • Use PodSecurity admission to disallow privileged: true.

  • Use RuntimeClass with gVisor or other sandboxing for untrusted workloads.

Example Pod SecurityContext snippet:

securityContext:
  runAsUser: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

6.2 CI runner guidance

  • Use ephemeral VMs rather than privileged containers; if containers are required, run in isolated pool and destroy after job completion.

  • Remove host kernel capabilities from job containers.

  • Prevent job artifacts from persisting on host filesystems; use separate artifact stores.

6.3 Docker daemon & host tuning

  • Configure dockerd to disallow --privileged usage.

  • Enable seccomp profiles that block netlink syscalls for untrusted images.

  • Use apparmor/SELinux to restrict tc and ip command execution.

7. Incident response — playbook and runbook

7.1 Triage checklist

  • Confirm patch level and kernel version.

  • Check for kernel OOPS signatures (ets_class_from_arg etc).

  • Check for netlink qdisc activity by non-root users in auditd logs.

  • Search for PoC artifacts (git clone, C/C++ compile of PoC code).

  • List recently installed kernel modules or changed kernel doc timestamps.

7.2 Containment steps

  1. Quarantine host (isolate network / VLAN).

  2. Stop any suspicious containers and mark images as untrusted.

  3. Snapshot VM for forensic analysis (do not revert until clean).

  4. Disable sensitive service accounts interacting with the suspected host.

7.3 Eradication steps

  1. Reimage host with patched kernel from trusted source.

  2. Rotate keys and secrets accessible from the host.

  3. Re-run full malware/indicator scan using updated IoC sets.

7.4 Recovery and lessons learned

  • Test and validate backups in isolated environment.

  • Conduct root cause analysis: how was PoC run? what local code ran? fix processes.

  • Update incident playbooks, implement enforcement to prevent recurrence.

8. Detection content pack: Sigma, YARA, OSQuery, and EDR snippets

8.1 Sigma rules (more detailed)

Sigma 1 — Kernel OOPS ets trace

title: Kernel OOPS containing ets references
id: cdb-kernel-oops-ets-2025
status: stable
description: Detects kernel OOPS messages referencing ets_class_from_arg or sch_ets
author: CyberDudeBivash
logsource:
  product: linux
detection:
  selection:
    Message|contains:
      - "ets_class_from_arg"
      - "sch_ets"
      - "net/sched/ets.c"
  condition: selection
level: critical

Sigma 2 — Unprivileged tc usage

title: Unprivileged tc qdisc/class creation
id: cdb-unprivileged-tc-2025
description: Non-root account attempting tc netlink operations
logsource:
  product: linux
detection:
  selection:
    EventID: CommandExecution
    CommandLine|contains:
      - "tc qdisc"
      - "tc class"
    UserID|not_in: ['root','0']
  condition: selection
level: high

8.2 Osquery investigations

Query: find recent tc executions by non-root

SELECT uid, username, cmdline, time
FROM process_events
WHERE (cmdline LIKE '%tc qdisc%' OR cmdline LIKE '%tc class%')
  AND uid != 0
ORDER BY time DESC
LIMIT 100;

Query: find loaded kernel modules recently modified

SELECT name, path, mtime
FROM kernel_modules
WHERE mtime > datetime('now', '-7 days')
ORDER BY mtime DESC;

8.3 YARA rules (artifact-based)

Detect PoC strings and likely exploit wrappers:

rule cve_2025_21692_strings
{
  meta:
    author = "CyberDudeBivash"
    description = "Detect PoC strings related to CVE-2025-21692"
  strings:
    $a = "ets_class_from_arg" ascii
    $b = "sch_ets" ascii
    $c = "CVE-2025-21692" ascii
    $d = "RTM_NEWTCLASS" ascii
  condition:
    any of ($a,$b,$c,$d)
}

9. Forensic and remediation scripts (practical drop-in)

9.1 Quick host triage bash script (to run on suspected hosts — copy to secure analysis host first)

WARNING: Do not run this on production hosts without understanding — use in controlled triage environments.

#!/bin/bash
set -e
OUTDIR=/tmp/cve21692-$(date +%s)
mkdir -p $OUTDIR

echo "[*] Collecting dmesg..."
dmesg > $OUTDIR/dmesg.txt || true

echo "[*] Collecting journalctl -k..."
journalctl -k --no-pager > $OUTDIR/journalctl-k.txt || true

echo "[*] ps, lsof, netstat..."
ps aux > $OUTDIR/ps.txt
lsof -nP > $OUTDIR/lsof.txt
ss -tunap > $OUTDIR/ss.txt

echo "[*] recent tc command history (bash history grep)..."
grep -E "tc (qdisc|class|filter)" /root/.bash_history /home/*/.bash_history 2>/dev/null || true

echo "[*] auditd logs for netlink events..."
ausearch -m NETLINK -i > $OUTDIR/audit_netlink.txt || true

echo "[*] list kernel modules..."
lsmod > $OUTDIR/lsmod.txt
find /lib/modules -type f -printf '%T+ %p\n' | sort -r > $OUTDIR/lib_modules_mtimes.txt || true

echo "[*] check for known PoC repo clones..."
find / -path /proc -prune -o -name "*cve-2025-21692*" -print > $OUTDIR/poc_find.txt 2>/dev/null || true

echo "[*] Done. Archive..."
tar -czf $OUTDIR.tgz -C /tmp $(basename $OUTDIR)
echo "[*] Archive at $OUTDIR.tgz"

9.2 System hardening helper: drop CAP_NET_ADMIN from existing containers (example for Docker)

# Show containers with NET_ADMIN capability
for cid in $(docker ps -q); do
  echo "Container $cid"
  docker inspect --format '{{.HostConfig.CapAdd}}' $cid
done

# To restart container without NET_ADMIN
docker run --cap-drop=NET_ADMIN --cap-drop=SYS_ADMIN ... <image>

10. Sector prioritization & playbook mapping

Prioritize patching and hunting by sector and asset criticality.

10.1 Cloud & hosting providers

  • Priority: Critical — patch hosts, coordinate with customers.

  • Action: Emergency kernel rollout; isolate compromised hosts; notify customers.

10.2 Financial services & payment processors

  • Priority: Very high — lateral movement yields data theft and transaction compromise.

  • Action: Patch, rotate keys, tighten CI pipelines, monitor for PoC usage.

10.3 Telecom & ISPs

  • Priority: High — core networking hosts are attractive targets.

  • Action: Harden BGP routers, edge hosts, and any hosts allowing netlink interactions.

10.4 CI/CD & DevOps platforms

  • Priority: Critical — pipeline compromise risks supply chain.

  • Action: Rebuild runners, enforce ephemeral hosts, scan build artifacts.

10.5 Critical infrastructure (OT/SCADA)

  • Priority: High (conditional) — many OT devices do not expose the ETS path, but gateway hosts may.

  • Action: Verify vendor kernel versions in embedded systems; coordinate patches with vendors.

11. Remediation verification matrix (checks after patching)

For each host:

  •  Kernel package is at or above vendor fixed version.

  •  No kernel OOPS since patch timestamp.

  •  No pending netlink qdisc operations by non-root users.

  •  Container capability audit shows NET_ADMIN removed where not needed.

  •  CI runners rebuilt from patched images.

  •  Secrets/keys rotated if host was suspected compromised.

12. Appendix — Ready IOCs, searching strings, and PoC artifacts

12.1 Strings to search in repo/artifacts

  • "ets_class_from_arg", "sch_ets", "net/sched/ets.c", "CVE-2025-21692", "RTM_NEWTCLASS", "RTM_NEWQDISC", "tc class", "tc qdisc"

12.2 Example kernel OOPS snippet (what to expect)

[ 1234.567890] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 1234.567891] pgd = ffff880000000000
[ 1234.567892] Call Trace:
[ 1234.567892]  ets_class_from_arg+0x1a3/0x3b0 net/sched/ets.c:...
[ 1234.567892]  ? __do_softirq+0x...

Search for ets_class_from_arg in dmesg/journalctl -k.

12.3 Public PoC provenance

  • Public GitHub PoC repos (researcher names) contain exploit code and demonstrations; finding git clone of PoC repos on a host is a strong indicator of local exploitation attempts or testing.

13. Communication artifacts: executive and customer messaging

13.1 Executive summary (CISO -> Board)

  • One paragraph: what happened, impact, status of patching, expected business impact, authorization to escalate resources.

Example:

CVE-2025-21692 is a kernel flaw that enables local privilege escalation on unpatched Linux kernels. Because attackers only need some form of local code execution to exploit this, exposed CI/build hosts and shared cloud hosts present the highest risk. We have initiated emergency patching for all hypervisors, CI pools, and developer build hosts; hunting for indicators of compromise is underway. We recommend rotating any high-privilege keys and restricting untrusted code execution until remediation is verified.

13.2 Customer advisory (if you operate hosting services)

  • Provide remediation steps, status of host patching, recommended customer actions (rotate keys, revoke service tokens, re-create ephemeral VMs), timeline.

14. CyberDudeBivash offers & playbook kits 

  • CVE-21692 SOC Pack — Sigma rules, Osquery queries, YARA rules, PoC detection heuristics (pack delivered as ZIP).

  • Emergency Patch Orchestration — scripts and playbooks to schedule kernel upgrades across fleets, including rollbacks and verifications.

  • Memory Forensics Support — LiME-based memory capture and core analysis for suspected compromised hosts.

  • Training Workshop — “Hunting kernel exploits and capturing kernel forensics” for IR teams.

15. References & authoritative advisories

(Representative; always consult vendor pages for exact package and CVE details)

  • NVD / CVE-2025-21692 entry (description & CVSS).

  • Public PoC GitHub repositories and researcher write-ups.

  • Vendor advisories: Ubuntu, Red Hat, SUSE, Debian, Cloud provider advisories.

  • Security writeups and analysis (Wiz.io writeups, other researchers).

Final action checklist 

  1. Patch all kernels (hypervisors, hosts, dev workstations, CI runners) now.

  2. Hunt for kernel OOPS logs with ets references and unusual netlink activity.

  3. Contain suspected hosts; capture memory and artifacts.

  4. Mitigate by removing CAP_NET_ADMIN and limiting netlink usage in containers.

  5. Rebuild as necessary and rotate secrets.

  6. Report to regulators/ISACs if breach confirmed.

Closing note 

This deep dive consolidates the public technical analysis, vendor advisory guidance, PoC signals, and operational playbooks into an actionable package. I covered technical details, detection signatures, automation recipes, scripts, and sector prioritization — all ready for SOC integration or CISO briefings.

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more