Tens of thousands of Microsoft Exchange email servers in Europe, the U.S., and Asia exposed on the public internet are vulnerable to remote code execution flaws.
The mail systems run a software version that is currently unsupported and no longer receives any type of updates, being vulnerable to multiple security issues, some with a critical severity rating.
Exchange Server 2007 still running
Internet scans from The ShadowServer Foundation show that there are close to 20,000 Microsoft Exchange servers currently reachable over the public internet that have reached the end-of-life (EoL) stage.
On Friday, more than half of the systems were located in Europe. In North America, there were 6,038 Exchange servers, and in Asia 2,241 instances.
However, ShadowServer's statistics may not show the complete picture as Macnica security researcher Yutaka Sejiyama discovered a little over 30,000 Microsoft Exchange servers that reached end of support.
According to Sejiyama's scans on Shodan, in late November there were 30,635 machines on the public web with an unsupported version of Microsoft Exchange:
- 275 instances of Exchange Server 2007
- 4,062 instances of Exchange Server 2010
- 26,298 instances of Exchange Server 2013
Remote code execution risk
The researcher also compared the update rate and observed that since April this year, the global number of EoL Exchange servers dropped by just 18% from 43,656, a decrease that Sejiyama feels is insufficient.
Even recently, I still see news of these vulnerabilities being exploited, and now I understand why. Many servers are still in a vulnerable state"
by Yutaka Sejiyama
The ShadowServer Foundation highlights that the outdated Exchange machines discovered on the public web were vulnerable to multiple remote code execution flaws.
Some of the machines running older versions of the Exchange mail server are vulnerable to ProxyLogon, a critical security issue tracked as CVE-2021-26855, that can be chained with a less severe bug identified as CVE-2021-27065 to achieve remote code execution.
According to Sejiyama, based on the build numbers obtained from the systems during the scan, there are close to 1,800 Exchange systems that are vulnerable to either ProxyLogon, ProxyShell, or ProxyToken vulnerabilities.
ShadowServer notes that the machines in their scans are vulnerable to the following security flaws:
- CVE-2020-0688
- CVE-2021-26855 - ProxyLogon
- CVE-2021-27065 - part of the ProxyLogon exploit chain
- CVE-2022-41082 - part of the ProxyNotShell exploit chain
- CVE-2023-21529
- CVE-2023-36745
- CVE-2023-36439
Although most of the vulnerabilities above do not have a critical severity score, Microsoft marked them as "important." Furthermore, except for the ProxyLogon chain - which has been exploited in attacks, all of them were tagged as "more likely" to be exploited.
Even if companies still running outdated Exchange servers have implemented available mitigations, the measure is not sufficient as Microsoft recommends prioritizing the installation of updates on the servers that are externally facing.
In the case of instances that reached the end of support the only option remaining is to upgrade to a version that still receives at least security updates.