The German BSI warns of thousands of vulnerable Exchange servers that are accessible online. A large part even runs on versions of Microsoft Exchange that are no longer supported.

The German Federal Office for Security in Information Technology (BSI) warns organizations: Our own research shows that 17,000 Microsoft Exchange servers with known vulnerabilities are accessible online in the country alone. The Germans see around 45,000 Exchange servers in the country with Outlook Web Access activated, which can be accessed via the Internet. 37 percent of them are at risk in one way or another.

Twelve percent of the servers even run on an outdated Exchange version. Both Exchange 2010 and Exchange 2013 are still very popular. These solutions are no longer supported by Microsoft and received their last updates in October 2020 and April 2023. Thousands of German servers have not had security updates for months or years, but are still accessible online.

Other errors

The other servers are a mixed bag of critical bugs that have been patched for some time. These are vulnerabilities that emerged in October of last year or earlier and for which Microsoft has already released solutions. However, the BSI notes that the Germans have not yet rolled out these solutions sufficiently.

Even if the numbers come from Germany, we shouldn’t be uneasy. Belgium is generally not a particularly good student when it comes to quick patching. There is a good chance that a similar scenario will occur during an exam in our country. Rapid patching remains critical because Exchange is never alone in an organization. It is a gateway to the entire organization and hackers like to abuse it when it is open. Exposing legacy systems to the Internet should be a minimum.