The German national cybersecurity authority warned on Tuesday that it found at least 17,000 Microsoft Exchange servers in Germany exposed online and vulnerable to one or more critical security vulnerabilities.
According to the German Federal Office for Information Security (BSI), around 45,000 Microsoft Exchange servers in Germany have Outlook Web Access (OWA) enabled and are accessible from the Internet.
Approximately 12% of these servers still use outdated versions of Exchange (2010 or 2013), which have not received security updates since October 2020 and April 2023, respectively.
For the Exchange 2016 or 2019 servers exposed online, roughly 28% have not been patched for at least four months and are vulnerable to at least one critical security flaw exploitable in remote code execution attacks.
"Overall, at least 37% of Exchange servers in Germany (and in many cases also the networks behind them) are severely vulnerable. This corresponds to approx. 17,000 systems. In particular, many schools and colleges, clinics, doctor's offices, nursing services and other medical institutions, lawyers and tax consultants, local governments, and medium-sized companies are affected," the BSI warned [PDF].
"As early as 2021, the BSI warned several times against the active exploitation of critical vulnerabilities in Microsoft Exchange and temporarily called the IT threat situation 'red.' Nevertheless, the situation has not improved since then, as many Exchange server operators continue to act very carelessly and do not release available security updates in a timely manner."
The BSI urged the admins of these unpatched servers to always use current Exchange versions, install all available security updates, and configure instances exposed online securely.
To do that, they must regularly check whether their systems are on the current Microsoft Exchange patch level and ensure that the March 2024 monthly security updates are installed as soon as possible:
- Exchange Server 2019 CU14 Mar24SU (Build number 15.2.1544.9)
- Exchange Server 2019 CU13 Mar24SU (build number 15.2.1258.32)
- Exchange Server 2016 CU23 Mar24SU (build number 15.1.2507.37)
The BSI also recommends restricting access to web-based Exchange server services such as Outlook Web Access to trusted source IP addresses or securing them via a VPN rather than making them accessible from the Internet.
Furthermore, to protect against active exploitation of the CVE-2024-21410 critical privilege escalation vulnerability disclosed by Microsoft last month, they must enable Extended Protection on all Exchange servers using this dedicated PowerShell script.
In February, threat monitoring service Shadowserver warned that 28,500 Microsoft Exchange servers were vulnerable to ongoing CVE-2024-21410 attacks. Shadowserver also confirmed BSI's findings, saying that up to 97,000 servers, including over 22,000 from Germany, could be potentially vulnerable if Extended Protection wasn't enabled.
Microsoft is now automatically toggling on Extended Protection on Exchange servers after installing the February 2024 H1 Cumulative Update (CU14).
The company also urged Exchange admins one year ago to keep their on-premises servers up-to-date, so they're always ready to deploy emergency security patches.
Comments
h_b_s - 3 months ago
When I see big numbers like this my first question is: How many of these instances are viable, in-use servers versus honey pots of varying degrees of sophistication?
The advice is viable regardless of statistical authenticity, but big numbers make for better, more eye-catching headlines. Simple, surface level port scans won't reveal the difference between a vulnerable in-use server and most forms of honey pots.
devrimer - 3 months ago
ms products ??? never and ever !!! always problem and always headache
Linux forever!
zamroni - 3 months ago
if not updated, Linux servers are not secure too just like what happened during openssl heart bleed, shell shock attacks etc.
zamroni - 3 months ago
why the administrators disable the automatic updates?
most criminal hackers make hacking tools based on vulnerabilities disclosed in patch release.
that's why it's important to install security updates immediately