October 25, 2020

247,000 Microsoft Exchange servers are still open to attack exploiting

2 min read

Although Microsoft released a patch almost eight months ago, 61% of Exchange servers are still vulnerable. More than half of public Exchange servers are still vulnerable to a serious vulnerability that allows an authenticated attacker to execute code remotely with system privileges.

The vulnerability (CVE-2020-0688) exists in the Exchange control panel, Microsoft’s mail server, and calendar server. The vulnerability stems from the server’s failure to properly create a unique key during installation.

However, statistics found that among the 433,464 Internet-facing Exchange servers, at least 61% of Exchange 2010, 2013, 2016, and 2019 servers are still vulnerable to the vulnerability.

CVE-2020-16875 PoC
“File:Microsoft Exchange (2019-present).svg” by Microsoft Office team is licensed under CC BY-SA 4.0

“It’s been just under eight months since Microsoft released the patches to address CVE-2020-0688, so we thought it would be a good time to revisit patch deployment to see whether organizations have addressed this particular risk.” explained Tom Sellers with Rapid7 in a blog post. “Unfortunately, as of our study on Sept. 21, 2020, it appears that 61% of the target population (Exchange 2010, 2013, 2016, and 2019) is still vulnerable to exploitation.”

Researchers warned that unpatched servers were used in the wild by hackers in March. They observed that the attacker used the vulnerability to run system commands for reconnaissance, deploy a webshell, and execute the backdoor in memory for later use. We urge the administrator to verify whether the update has been deployed.

The most reliable method to determine whether the update is installed is by checking patch management software, vulnerability management tools, or the hosts themselves to determine whether the appropriate update has been installed.” continues the post.”Note that these tools will likely not indicate that the update is missing if the Exchange Server isn’t running a current version of the Exchange Cumulative Update or Rollup. These servers are still vulnerable.”