Massive risk: 92% of Exchange servers in Germany unprotected after Microsoft support ends
Microsoft flipped the switch on October 14th, ending security updates for deprecated Exchange Server 2016 and 2019. However, network admins have seemingly ignored the memo, and now tens of thousands of servers are potentially vulnerable in Germany alone.
A staggering 92% of on-premises Microsoft Exchange servers in Germany are running outdated versions that will never receive another security patch, according to a warning issued by the German Federal Office for Information Security (BSI).
The BSI in Germany knows of approximately 33,000 on-premise Exchange servers, and they have Outlook Web Access openly accessible from the internet.
That means that around 30,360 servers are currently running Exchange 2019 or older, while the only supported Exchange Server Subscription Edition (SE) version was found on the remaining 2,500+ systems.
Over 45% of Exchange servers in the country are running version 2019, while around 40% are running version 2016.
It’s just a matter of time before critical vulnerabilities are discovered in the unsupported software.
“In addition to thousands of companies, a large number of hospitals and doctors’ offices, schools and universities, social services, law and tax firms, public utilities, and municipal administrations are also affected,” the translation of the BSI alert reads.
Curious what others think about this story? Contribute your thoughts to the debate below.
The watchdog warns that many organizations have flat network structures and insufficient segmentation and hardening. Compromised Exchange servers can quickly escalate to complete compromise of the affected organization’s entire network, leading to sensitive data theft, ransomware deployment, and production outages lasting for weeks.
“Should a critical vulnerability in Microsoft Exchange become known in the near future – as has happened several times in recent years – it cannot be patched with a security update. The affected Exchange servers may then need to be taken offline immediately to avoid compromise. The consequence would be a massive disruption of the communication capabilities of the affected organizations,” BSI warns.
In August, Cybernews reported on an emergency alert for a now-patched Exchange flaw that could be abused to compromise the entire Microsoft 365 infrastructure. Thousands of servers remained unpatched for previously discovered vulnerabilities.
The BSI acknowledges that Microsoft’s Extended Security Update Program provides some additional critical security updates for an additional fee. However, it will be valid for six months only (through April 14th, 2026). It also requires additional financial resources and only postpones the necessary system upgrades or mitigations.
BSI is urging Exchange server admins to “immediately upgrade to version SE or migrate to an alternative solution.”
The watchdog also recommends never exposing Exchange Server services, such as web access, to the internet. Instead, organizations should secure access via a VPN or limit it to a list of trusted IP addresses.
With Exchange SE, Microsoft shifted from a one-time perpetual license purchase to a subscription model. The Redmond Giant also hiked the prices for its on-premises server products in July.
Some German states announced ditching Exchange and other Microsoft tools altogether, embracing open-source alternatives.
Schleswig-Holstein recently announced that it has migrated 40,000 mailboxes from Microsoft Exchange and Outlook to Open-Xchange and Thunderbird.
Unlock more exclusive Cybernews content on YouTube.
