The German Federal Office for Information Security (BSI) issued an alert about at least 17,000 Microsoft Exchange servers in the country that are vulnerable to one or more critical vulnerabilities.
The BSI also added that there is an unreported number of Exchange servers of comparable size that are potentially vulnerable.
The BSI urges operators running vulnerable instances to install available security updates and configure them securely.
Cybercriminals and nation-state actors exploit numerous vulnerabilities for malicious activities, including malware campaigns and cyber espionage operations.
Most affected organizations are educational institutions such as schools and universities, healthcare facilities including clinics and doctors’ practices, nursing services, legal and tax advisory firms, local governments, and a multitude of medium-sized enterprises.
12 percent of the listed servers are running a version of Exchange Server that is no longer supported, and around 25 percent of all servers use current versions of Exchange 2016 and 2019 that lack of security patches.
“Around 45,000 Microsoft Exchange servers in Germany can currently be accessed from the Internet without restrictions. According to current findings from the BSI , around twelve percent of them are so outdated that security updates are no longer offered for them. Around 25 percent of all servers are operated with current versions of Exchange 2016 and 2019, but have an outdated patch version. In both cases, the servers are vulnerable to several critical vulnerabilities.” reads the alert published by the BSI. “This means that at least 37 percent of all Microsoft Exchange servers openly accessible from the Internet are vulnerable.”
The German agency also warns about the remaining 48 percent of Exchange servers for which it is unclear whether they have been patched against the recently disclosed CVE-2024-21410 vulnerability.
The vulnerability CVE-2024-21410 is a bypass vulnerability that an attacker can exploit to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the advisory published by Microsoft.
The IT giant addressed the issue with the release of Patch Tuesday security updates for February 2024.
In February 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft also updated its advisory to label the flaw as actively exploited in the wild.
On 2024-02-17 Shadowserver researchers identified around 97K vulnerable or possibly vulnerable (vulnerable version but may have mitigation applied).
Out of 97,000 servers, 28,500 have been verified to be vulnerable to CVE-2024-21410. Most of these servers were in Germany, followed by the United States.
Germany currently hosts most of the vulnerable servers (19,746), followed by the United States (17,241).
“The fact that there are tens of thousands of vulnerable installations of such relevant software in Germany must not happen. Companies, organizations and authorities unnecessarily endanger their IT systems and thus their added value, their services or their own and third-party data, which may be highly sensitive. Cybersecurity must finally be high on the agenda. There is an urgent need for action!”
said Claudia Plattner, President of the BSI.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Exchange)