Over 20,000 Vulnerable Microsoft Exchange Servers Exposed to Attacks

Cyber Security Threat Summary:
The ShadowServer Foundation is warning that tens of thousands of Microsoft Exchange email servers in Europe, the United States, and Asia are exposed on the public internet and vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer receives any updates, being vulnerable to multiple security issues, some with a critical severity rating. In total, the researchers found close to 20,000 Microsoft Exchange servers that have reached end-of-life (EoL). More than half of the systems were located in Europe. In North America, there were 6,038 Exchange servers, and in Asia 2,241 instances.

Security Officer Comments:
While many of these servers have hit EoL, the researchers said since April of this year, only 18% of servers have been updated. Vulnerabilities in these systems are being exploited and organizations have not taken the time to update these systems to protected versions. Multiple Exchange servers discovered on the public web are vulnerable to multiple remote code execution flaws. Some of the machines running older versions of Exchange mail server are vulnerable to ProxyLogon, a critical security issue tracked as CVE-2021-26855, that can be chained with a less severe bug identified as CVE-2021-27065 to achieve remote code execution.

According to ShadowServer, based on the build numbers obtained from the systems during the scan, there are close to 1,800 Exchange systems that are vulnerable to either ProxyLogon, ProxyShell, or ProxyToken vulnerabilities.

ShadowServer notes that the machines in their scans are vulnerable to the following security flaws:

  • CVE-2020-0688
  • CVE-2021-26855 - ProxyLogon
  • CVE-2021-27065 - part of the ProxyLogon exploit chain
  • CVE-2022-41082 - part of the ProxyNotShell exploit chain
  • CVE-2023-21529
  • CVE-2023-36745
  • CVE-2023-36439
Suggested Correction(s):
Organizations should work to update software and hardware as soon as patches are available. Products that have been deemed end-of-life will receive no further security updates. Continuing to use these products can put an organization at risk and organizations should look to implement new systems or apply necessary updates.

According to the ShadowServer Foundation, Even if the companies still running outdated Exchange servers have implemented available mitigations, the measure is not sufficient as Microsoft recommends prioritizing the installation of updates on the servers that are externally facing. In the case of instances that reached the end of support the only option remaining is to upgrade to a version that still receives at least security updates.