With an estimated 61% of Exchange servers in the wild still operating unpatched, this security flaw allows attackers to take over a vulnerable server using any set of valid email credentials.
I bet when you’ve read one of my articles about how scammers fool users out of their Office 365 credentials, you never dreamed the next use of those credentials would be to take over your organization’s Exchange server! But that’s exactly what’s possible with this vulnerability that has been published since February of this year.
Microsoft provided a patch for it on Patch Tuesday back in February, but newly updated Internet scan data from security vendor Rapid7 shows a massive number of Microsoft Exchange servers accessible from the Internet that are vulnerable to the published exploit. Some are running unsupported versions of Exchange, while others simply appear to not have been patched:
- 16,577 Exchange 2007 servers (out of support)
- 54,000 Exchange 2010 servers (EOS in October 2020)
- 67,000 Exchange 2013 servers (EOS in April 2023)
- 120,000 Exchange 2016 servers
- 19,000 Exchange 2019 servers
This news is terrifying! With administrative access to your organization’s Exchange servers, cybercriminals can run the gambit of scams – CEO fraud, brand and individual impersonation, business email compromise, island hopping to infect or scam partner or customer organizations, and more.
IT teams need to take steps to immediately patch any supported versions of Exchange Server, devise a plan to move off of any unsupported versions soon, and minimize Internet-based access to the Exchange environment.