CERT-Bund warns: More than 15,000 Exchange servers with security vulnerabilities

The Federal Office for Information Security (BSI) CERT-Bund has issued a warning on X about more than 15,000 Exchange servers in Germany that have at least one security vulnerability that can be exploited from the network. This is only a slight decrease compared to the figures from March.

This corresponds to 35 percent of servers in Germany that offer an Outlook Web Access (OWA) web interface that can be accessed from the network. The IT experts from CERT-Bund write that this is still comparatively "good", as no new critical vulnerability in Exchange has become known in recent months.

In another post on X, CERT-Bund provides further figures. More than 12,000 of the Exchange servers 2016 and 2019 with an OWA accessible from the Internet have a patch status that is more than half a year old – this corresponds to around 28 percent of the systems. 6500 or 15 percent of Exchange machines with open OWA are even still at a patch level from over a year ago.

Nevertheless, six months ago, 12 percent of OWA-providing servers with an Exchange server outside its support lifecycle (Exchange 2010 and 2013) were still accessible on the network, but this figure has now fallen below ten percent. As there are no longer any current security updates available for these versions, they should be migrated to a version that is still supported as a top priority.

In March, the BSI warned of more than 17,000 vulnerable Exchange servers in Germany. If this rate continues, all currently vulnerable Exchange servers could be patched in just under four years' time. Hopefully, the latest warning from the CERT-Bund will help more IT managers to upgrade their Exchange instances to a secure level.

(dmk)