Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

December 2, 2023 at 01:55PM

Nearly 20,000 Microsoft Exchange servers, outdated and unsupported, are susceptible to critical remote code execution flaws. Over half are in Europe, with thousands more in America and Asia. Scans reveal many still run Exchange 2007, 2010, and 2013 versions, risking infiltration via vulnerabilities like ProxyLogon. Security upgrades are recommended.

Meeting Takeaways:

1. Vulnerability Status: Tens of thousands of publicly accessible Microsoft Exchange email servers in Europe, the U.S., and Asia are running unsupported software versions and are vulnerable to remote code execution flaws.

2. Unsupported Versions:
– There are nearly 20,000 Microsoft Exchange servers that have reached the end-of-life stage and are no longer receiving updates, making them susceptible to various security risks.
– ShadowServer Foundation’s internet scans identified these vulnerable systems, with over half located in Europe, 6,038 in North America, and 2,241 in Asia.

3. Additional Findings by Sejiyama:
– Macnica security researcher Yutaka Sejiyama discovered approximately 30,000 Exchange servers with unsupported versions via Shodan scans:
– 275 instances of Exchange Server 2007
– 4,062 instances of Exchange Server 2010
– 26,298 instances of Exchange Server 2013

4. Update Rate Concern:
– Since April, there has been only an 18% decrease in the number of end-of-life Exchange servers worldwide.
– Sejiyama expresses concern over the slow rate of updates given the continued exploitation of these vulnerabilities.

5. Specific Vulnerabilities:
– ProxyLogon (CVE-2021-26855) is particularly critical and is vulnerable to being exploited in combination with CVE-2021-27065.
– Approximately 1,800 Exchange systems are susceptible to ProxyLogon, ProxyShell, or ProxyToken vulnerabilities, according to Sejiyama’s research based on build numbers.

6. Severity and Exploitation Likelihood:
– The vulnerabilities identified have been marked as “important” by Microsoft, though not “critical.”
– ProxyLogon has been actively exploited in attacks, while the rest are deemed “more likely” to be exploited.

7. Mitigation and Recommendations:
– Companies with obsolete Exchange servers may have implemented certain mitigations, but Microsoft advises prioritizing updates on externally facing servers as the more urgent measure.
– For servers that have reached end of support, the only remaining option is to upgrade to a version that is still receiving security updates.

Full Article