Skip links

These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb

The German Federal Office for Information Security (BIS) has issued an urgent alert about the poor state of Microsoft Exchange Server patching in the country.

The government regulator says there are 17,000 or more Exchange Server instances in Germany vulnerable to at least one critical vulnerability, out of around 45,000 public-facing servers in the Euro nation running the software.

Of these servers, 12 percent are running a version of Exchange Server that is ordinarily no longer supported, such as Exchange 2010 and 2013, and around a quarter are running Exchange 2016 and 2019 but without vital patches – meaning at least 37 percent are classed as “vulnerable.”

“The fact that there are tens of thousands of vulnerable installations of such relevant software in Germany must not happen,” warned Claudia Plattner, president of the BSI.

“Companies, organizations and authorities unnecessarily endanger their IT systems and thus their added value, their services or their own and third-party data, which may be highly sensitive. Cybersecurity must finally be high on the agenda. There is an urgent need for action!”

The BIS is trying to get its citizens to patch early. Just last week Google-owned Mandiant warned that German politicians were under active attack from the Russian Cozy Bear crew, who operate under state sanction from Putin’s regime.

Of particular concern is fixing CVE-2024-21410, an elevation-of-privilege vulnerability that Microsoft patched last month. According to German investigators, it’s not clear whether as much as 48 percent or so of the country’s Exchange servers have fixed up this hole yet, and Microsoft did warn it’s a trickier-than-normal update to apply.

We’re told BIS is now emailing network providers on a daily basis reminding them to shore up any vulnerable system it detects. It warns that criminals are already on the lookout to exploit these reported flaws and “schools and universities, clinics, doctors’ practices, nursing services and other medical facilities, lawyers and tax advisors, local governments and many medium-sized companies are particularly affected.”

“Most of the vulnerabilities are months old and security patches are available,” a BIS spokesperson told The Register. “Even if administrators are not responsible fort he quality of the software (Microsoft is), they must now act quickly and consistently.” ®