On August 6, 2025, Microsoft announced a vulnerability with hybrid deployments because of a shared service principal between the Exchange on-premises deployment and Exchange Online. The vulnerability is found in the on-premises side. Basically, if a threat actor can gain administrative rights to an on-premises Exchange server, they can privilege escalate to the cloud environment through that shared service principal.
