Over 20,000 Microsoft Exchange email servers across Europe, the U.S., and Asia are at risk of cyber attacks due to running on unsupported software versions that no longer receive any updates. These servers are susceptible to numerous security issues, including some with a critical severity rating. The ShadowServer Foundation's internet scans have revealed these alarming figures.
On a single day, the majority of these vulnerable systems were found in Europe, with over 6,000 in North America and more than 2,000 in Asia. However, these statistics may not represent the full scale of the issue. Yutaka Sejiyama, a security researcher at Macnica, discovered over 30,000 Microsoft Exchange servers that have reached the end of support and are exposed on the public web.
According to Sejiyama's scans on Shodan, as of late November, there were 30,635 machines on the public web running an unsupported version of Microsoft Exchange. His research also showed that since April this year, the global number of end-of-life Exchange servers has only decreased by 18% from 43,656, a reduction rate that Sejiyama deems insufficient. He stated, “Even recently, I still see news of these vulnerabilities being exploited, and now I understand why. Many servers are still in a vulnerable state.”
The ShadowServer Foundation pointed out that the outdated Exchange servers they found on the public web are susceptible to multiple remote code execution flaws. Some servers running older versions of the Exchange mail server are vulnerable to ProxyLogon, a critical security issue identified as CVE-2021-26855. This can be combined with a less severe bug, CVE-2021-27065, to achieve remote code execution.
Sejiyama's research found that nearly 1,800 Exchange systems are vulnerable to either ProxyLogon, ProxyShell, or ProxyToken vulnerabilities based on the build numbers obtained from the systems during the scan. ShadowServer noted that the machines in their scans are vulnerable to several security flaws, which Microsoft has marked as “important.” Except for the ProxyLogon chain, which has been exploited in attacks, all of them were tagged as “more likely” to be exploited.
Companies that continue to run outdated Exchange servers may have implemented available mitigations, but this is not enough. Microsoft advises prioritizing the installation of updates on servers that are externally facing. However, for servers that have reached the end of support, the only remaining option is to upgrade to a version that still receives security updates.