IT teams operating Microsoft Exchange servers (opens in new tab) are very slow at patching their endpoints, resulting in thousands of devices still being vulnerable to some high-severity flaws.
This is according to a new report on CyberNews, which claims more than 85,000 servers are still exposed to multiple remote code execution (RCE) vulnerabilities, namely CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707.
The report has described the flaws as “extremely dangerous” due to the fact that they can allow the threat actors to run malicious code and compromise people’s inboxes and email messages sitting on the servers.
Disregarding the threat
The flaws were discovered in mid-February 2023, with Microsoft being quick to release a patch to address the issue.
However, many IT teams are yet to apply these patches, they’re saying. In fact, as per Shadowserver Foundation data, the number of vulnerable servers in February was 87,000, meaning the vast majority of IT teams basically disregarded this security threat and simply decided not to apply the fix.
The researchers analyzed roughly 250,000 internet-connected Microsoft Exchange servers and found exactly 85,261 to be exposed to these RCE flaws (34.33%). Most of the vulnerable servers were located in Germany – 18,000 of them.
The US is second-placed with almost 16,000 servers, followed by the UK (3,734), France (2,959), and Russia (2,775). Russia and China were particularly interesting, as companies in these countries preferred older versions of MS Exchange 2016, “although newer versions were still used in the 2019 and 2013 releases,” the researchers said.
The impact is “roughly the same”, but the vulnerabilities are different.
While it’s hard to determine who might use these flaws, and to what purpose, Cybernews does stress that “similar vulnerabilities” were exposed in the past by Russian state-sponsored actors. The publication claims these flaws are not unlike the ones used by the GRU in 2020 to engage in large-scale attacks against government agencies, businesses, and organizations.
Via: Cybernews
