A significant number of Microsoft Exchange email servers, approximating 20,000, have been identified as exposed to potential cyberattacks due to outdated software versions that no longer receive updates. The vulnerability mainly affects Europe, the United States, and Asia.
Implications of the Exposure
The affected mail systems include versions such as Exchange Server 2007, which have reached their end-of-life and thus are no longer supported by Microsoft with any security updates. These vulnerabilities are not merely theoretical; several, including ProxyLogon, have been exploited in past attacks.
Experts strongly recommend that organizations running these outdated servers prioritize upgrading to supported versions or applying available security measures. While certain mitigations may exist, without updates, the servers remain at risk, underscoring the urgent need for action to prevent potential breaches and data theft.
A recent report by The ShadowServer Foundation has unveiled that around 20,000 Microsoft Exchange servers, still operational and available over the public internet, are running unsupported versions of the software. With the end-of-life status of these systems, they are prone to a host of security issues, including remote code execution flaws. Internet scans by The ShadowServer Foundation highlighted this alarming security lapse, noting that over half of these vulnerable systems are located in Europe, followed by significant numbers in North America and Asia.
ShadowServer says the following vulnerabilities have been observed:
- CVE-2021-26855 – ProxyLogon
- CVE-2021-27065 – A ProxyLogon exploit chain
- CVE-2022-41082 – A ProxyNotShell exploit chain
The scan carried out by ShadowServer was supplemented by research from Macnica security researcher Yutaka Sejiyama, who discovered more than 30,000 instances of such unsupported Exchange servers. Echoing the gravity of the situation, Sejiyama comments on the slow rate of updates, finding that the global number of end-of-life Exchange servers decreased by only 18% since April from an initial figure of 43,656. This reduction pace is perceived as insufficient given the continued exploitation of these vulnerabilities.
A variety of remote code execution risks have been tied to these servers. Specifically, Sejiyama points out that about 1,800 Exchange systems are at risk from ProxyLogon, ProxyShell, or ProxyToken vulnerabilities. Even though not all have been given a critical severity score by Microsoft, the company has designated them as “important” and indicated most are “more likely” to be exploited.
For companies still operating on these outdated servers, mere implementation of mitigations is inadequate. Microsoft's best practice is to install updates on any servers facing the internet as a priority. If organizations are managing servers that have already reached their end of support, the only secure path forward is an upgrade to a supported version that receives at least security updates. The urgency of this issue underscores a critical need for businesses to reassess their cybersecurity strategy, particularly those employing legacy systems in their operations.