Numerous Microsoft Exchange email servers across Europe, the United States, and Asia, currently exposed on the public internet, face vulnerability due to remote code execution flaws. These servers operate on an unsupported software version, lacking updates and susceptible to multiple security issues, some with critical severity.
Recent scans by The ShadowServer Foundation indicate the presence of nearly 20,000 Microsoft Exchange servers on the public internet that have reached their end-of-life (EoL) stage. As of Friday, over half of these systems were identified in Europe, with 6,038 in North America and 2,241 in Asia.
Source: The ShadowServer Foundation
However, these statistics may not present the complete picture, as Macnica security researcher Yutaka Sejiyama discovered over 30,000 Microsoft Exchange servers that have reached end of support. Sejiyama’s scans on Shodan in late November revealed 30,635 machines on the public web with an unsupported version of Microsoft Exchange, including 275 instances of Exchange Server 2007, 4,062 instances of Exchange Server 2010, and 26,298 instances of Exchange Server 2013.
Comparing update rates, Sejiyama noted a modest 18% decrease in the global number of EoL Exchange servers since April, from 43,656. This reduction is deemed insufficient, especially considering ongoing reports of vulnerabilities being exploited.
The ShadowServer Foundation emphasizes that these outdated Exchange machines on the public web are susceptible to various remote code execution flaws. Some of the servers, particularly those running older Exchange versions, are vulnerable to critical security issues like ProxyLogon (CVE-2021-26855), which can be combined with a less severe bug (CVE-2021-27065) to achieve remote code execution.
According to Sejiyama’s analysis of build numbers obtained during the scan, approximately 1,800 Exchange systems are vulnerable to ProxyLogon, ProxyShell, or ProxyToken vulnerabilities. The identified machines are at risk due to several security flaws, including CVE-2020-0688, CVE-2021-26855 (ProxyLogon), CVE-2021-27065 (part of the ProxyLogon exploit chain), CVE-2022-41082 (part of the ProxyNotShell exploit chain), CVE-2023-21529, CVE-2023-36745, and CVE-2023-36439.
While most of these vulnerabilities are not classified as critical by severity, Microsoft designates them as “important.” Furthermore, with the exception of the exploited ProxyLogon chain, all are deemed “more likely” to be exploited.
Even if companies running outdated Exchange servers implement available mitigations, it may not be sufficient, as Microsoft recommends prioritizing the installation of updates, especially for servers facing the external network. For servers that have reached the end of support, upgrading to a version that still receives security updates remains the only viable option.
CyberSec84 | Cybersecurity news. 
Leave a comment