85k+ MS Exchange servers remain vulnerable to severe RCE bugs

Months since Microsoft urged organizations to update their software to patch vulnerabilities on Exchange servers, over 85,000 servers are still left exposed to attacks, reveals Cybernews investigation.

Similar vulnerabilities have been exploited in the past by Russia-linked malicious actors to conduct large-scale attacks against government agencies.

Considering that the recently discovered vulnerabilities are similar to the ones used by the Directorate of Russian Armed Forces (GRU) in 2020 to conduct large-scale attacks against government agencies, businesses, and organizations, unpatched servers can pose a severe threat.

Severe vulnerabilities discovered

On February 14th, Microsoft detected new vulnerabilities on Microsoft Exchange and urged software users to patch the vulnerabilities by installing the latest security updates.

Recently discovered remote code execution (RCE) vulnerabilities, named CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707, are extremely dangerous, as they potentially enable attackers to run malicious code and compromise private emails and inboxes of other users on the server.

All the attackers need to access the server is to have an account on Microsoft Exchange, which is not hard to obtain, as it can be done by ill-intended employees, students, or other users. Also, threat actors could try phishing one user and, if lucky, gain access to the emails of the entire organization.

Although the primary concern is gaining access to confidential and private information, vulnerabilities could also serve as a means for initial network access, allowing perpetrators to launch ransomware or extract sensitive data from other servers within the same network.

Despite the company’s efforts, many organizations using Microsoft’s services are still vulnerable to attacks.

Most of the vulnerable servers in Germany

Cybernews investigation revealed that one in three MS Exchange servers are still left unpatched, most of them located in Germany.

Out of 248,350 internet-connected Microsoft Exchange servers studied by researchers, 85,261 were exposed to the RCE vulnerabilities. This indicates that 34.33% of all Exchange servers may have been affected.

Most servers were found in Germany, with more than 18,000 vulnerable servers. The US is the second most affected country, with nearly 16,000 servers still left unpatched. In the UK, France, Netherlands, and Russia, there are 3,734, 2,959, 2,906, and 2,775 vulnerable servers, respectively.

Researchers also analyzed Exchange version distribution and found that in most Western countries, newer but still vulnerable versions were more common, except for the first minor version in a major release (e.g., version 15.2.986.5 instead of 15.2.986.41)

In China and Russia, however, there was a preference for older versions of MS Exchange 2016, although newer versions were still used in the 2019 and 2013 releases.

Although the impact of all three discovered RCE vulnerabilities is roughly the same, they are distinct vulnerabilities that exist in different components of Microsoft Exchange. Each of these vulnerabilities has been fixed in different versions of the software, so to analyze the maximum number of potentially exposed versions, the researchers looked at all versions that included any of these three vulnerabilities.

Not the first time Exchange is exploited

It is not the first time RCE vulnerabilities have been identified on Microsoft Exchange servers. There have been consequences too. For example, in 2020, identified RCE vulnerabilities were ruthlessly exploited in a brute-force attack campaign.

The campaign, attributed to the Russian GRU, targeted hundreds of US and foreign organizations worldwide, including the US government and Department of Defense, logistics, energy, and media companies.

And In 2021, four 0-day RCE vulnerabilities were actively exploited by the Chinese-linked threat actor group Hafnium to target governments, medical research facilities, law firms, and defense contractors globally.

Vulnerabilities are not patched on time

While months have passed since the RCE vulnerabilities were identified, the number of unpatched Exchange servers is barely reducing. As observed by Shadowserver Foundation in February, the number of vulnerable servers was around 87,000.

Numbers show a worrying tendency — that many organizations still disregard cybersecurity threats and fail to update their software in a timely manner.

In 2021, the infamous Log4Shell vulnerability in the Apache logging utility Log4j attracted much attention. However, despite the public panic, 40% of recent Log4j downloads are older and more vulnerable versions.

EternalBlue (MS17-010) vulnerability, affecting some versions of Microsoft Windows, was exploited by WannaCry ransomware in 2017. Even though the patches have been available for the past six years, thousands of internet-connected systems are still vulnerable to this exploit.

According to Brandon Wales, acting CISA (Cybersecurity and Infrastructure Security Agency) director, applying security updates is essential. However, more action is needed.

Even if companies have applied patches, they should verify that their systems have not been breached, as the network could have been compromised prior to the patches being applied.

“You should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that,” Wales said.