Tens of thousands of Microsoft Exchange email servers across Europe, the United States, and Asia have been identified as susceptible to remote code execution flaws when exposed on the public internet. These mail systems are operating on an outdated software version, lacking any current support or updates. Consequently, they are at risk of multiple security issues, some of which are deemed critical in severity.
According to findings by The ShadowServer Foundation, recent internet scans reveal that nearly 20,000 Microsoft Exchange servers are currently accessible on the public internet and have reached the end-of-life (EoL) stage.
As of last Friday, a significant portion of these systems, over half, were identified in Europe. North America accounted for 6,038 Exchange servers, while Asia had 2,241 instances.
Yet, ShadowServer’s data might not present the whole story. Macnica security researcher Yutaka Sejiyama uncovered slightly more than 30,000 Microsoft Exchange servers that have reached the end of support.
Based on Sejiyama’s investigations using Shodan, as of late November, there were 30,635 machines on the public web running an unsupported version of Microsoft Exchange. This included 275 instances of Exchange Server 2007, 4,062 instances of Exchange Server 2010, and a substantial 26,298 instances of Exchange Server 2013.
RCE (Remote Code Execution) Risk
The researcher also looked at how quickly these servers are getting updated. Since April of this year, the global number of Exchange servers that have reached the end-of-life (EoL) stage decreased by only 18%, dropping from 43,656. According to Sejiyama, this decrease is not enough.
“I still see news of these vulnerabilities being exploited, and now I understand why. Many servers are still in a vulnerable state,” says Yutaka Sejiyama.
The ShadowServer Foundation points out that the outdated Exchange servers found on the public web are at risk of multiple remote code execution flaws.
Some of these servers running older versions of the Exchange mail server are vulnerable to ProxyLogon, a critical security issue known as CVE-2021-26855. It can be combined with a less severe bug, identified as CVE-2021-27065, to achieve remote code execution.
According to Sejiyama’s findings, based on the build numbers obtained during the scan, there are nearly 1,800 Exchange systems vulnerable to either ProxyLogon, ProxyShell, or ProxyToken vulnerabilities.
ShadowServer notes that the machines in their scans are susceptible to the following security flaws:
- CVE-2020-0688
- CVE-2021-26855 (ProxyLogon)
- CVE-2021-27065 (part of the ProxyLogon exploit chain)
- CVE-2022-41082 (part of the ProxyNotShell exploit chain)
- CVE-2023-21529
- CVE-2023-36745
- CVE-2023-36439
While most of these vulnerabilities may not have a critical severity score, Microsoft marked them as “important.” Furthermore, except for the ProxyLogon chain, which has been exploited in attacks, all of them are considered “more likely” to be exploited.
Even if companies still using outdated Exchange servers have implemented available safeguards, this may not be enough. Microsoft recommends giving priority to installing updates on servers facing the external internet. For servers that have reached the end of support, the only viable option is to upgrade to a version that still receives security updates.