The German government has once again warned education organizations, law firms, healthcare companies, and others, that their Microsoft Exchange servers are vulnerable, meaning they could be a prime candidate for cyberattacks.
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) released a new security paper, in which it warned that roughly 45,000 Microsoft Exchange Servers in the country have Outlook Web Access (OWA) enabled, making them accessible from the internet.
Of that number, roughly one in eight (12%) use Exchange instances that are long past their end-of-life dates (versions 2010 and 2013, which received their last updates in October 2020 and April 2023). Then, there are Exchange servers 2016 and 2019, 28% of which haven’t been patched for months and are vulnerable to at least one critical severity flaw that can be used to run malicious code, remotely.
"Shadow vulnerability"
"Overall, at least 37% of Exchange servers in Germany (and in many cases also the networks behind them) are severely vulnerable. This corresponds to approx. 17,000 systems. In particular, many schools and colleges, clinics, doctor's offices, nursing services and other medical institutions, lawyers and tax consultants, local governments, and medium-sized companies are affected," the BSI said in the paper, BleepingComputer translates.
This is not the first time the BSI is warning organizations in the country about Exchange. In 2021, it did the same thing, even describing the situation in the country as “situation ‘red’”, BSI reminds. “Nevertheless, the situation has not improved since then, as many Exchange server operators continue to act very carelessly and do not release available security updates in a timely manner."
Organizations using Microsoft Exchange servers should make sure they always use the latest version and apply the security patches as soon as they’re available.
More from TechRadar Pro
- Thousands of Microsoft Exchange servers could be vulnerable to this dangerous security flaw
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now