A recent study by security specialists Rapid 7 shows that a lot of Exchange servers are missing an important security update. Or even more.
Rapid 7, a developer of IT security solutions, recently released a study about the security situation of publicly available Exchange servers.
The researchers scanned the internet for publicly available Outlook Web Access (OWA) sites and extracted their indicated software versions. This also means that there are even more vulnerable systems with OWA disabled.
The results are more or less devastating:
In total 443.464 servers have been found.
At least 357.629 servers are still vulnerable to CVE-2020-0688, allowing attackers to run code as SYSTEM (!!!). The patch has been released in February.
What is more concerning:
Over 31.000 Exchange 2010 servers have not been patched since 2012 (!!!!!).
Nearly 800 Exchange 2010 server have not been patched AT ALL (!!!!!!!).
And last but not least: They still found 10.731 Exchange 2007 server. Their end of life was in April 2017…
So, please check your Exchange servers: Do they have the latest cumulative update? Have you installed all security updates? Are you already planning the migration of your Exchange 2010 server (End of life is October 2020)?