These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb

The German Federal Office for Information Security (BSI) has issued an urgent alert about the poor state of Microsoft Exchange Server patching in the country.

The government regulator says there are 17,000 or more Exchange Server instances in Germany vulnerable to at least one critical vulnerability, out of around 45,000 public-facing servers in the Euro nation running the software.

Of these servers, 12 percent are running a version of Exchange Server that is ordinarily no longer supported, such as Exchange 2010 and 2013, and around a quarter are running Exchange 2016 and 2019 but without vital patches - meaning at least 37 percent are classed as "vulnerable."

"The fact that there are tens of thousands of vulnerable installations of such relevant software in Germany must not happen," warned Claudia Plattner, president of the BSI.

"Companies, organizations and authorities unnecessarily endanger their IT systems and thus their added value, their services or their own and third-party data, which may be highly sensitive. Cybersecurity must finally be high on the agenda. There is an urgent need for action!"

The BSI is trying to get its citizens to patch early. Just last week Google-owned Mandiant warned that German politicians were under active attack from the Russian Cozy Bear crew, who operate under state sanction from Putin's regime.

• Crims found and exploited these two Microsoft bugs before Redmond fixed 'em
• Microsoft takes another run at closing Exchange brute-force security hole
• Microsoft pins hopes on AI once again – this time to patch up Swiss cheese security
• From chaos to cadence: Celebrating two decades of Microsoft's Patch Tuesday

Of particular concern is fixing CVE-2024-21410, an elevation-of-privilege vulnerability that Microsoft patched last month. According to German investigators, it's not clear whether as much as 48 percent or so of the country's Exchange servers have fixed up this hole yet, and Microsoft did warn it's a trickier-than-normal update to apply.

We're told BSI is now emailing network providers on a daily basis reminding them to shore up any vulnerable system it detects. It warns that criminals are already on the lookout to exploit these reported flaws and "schools and universities, clinics, doctors' practices, nursing services and other medical facilities, lawyers and tax advisors, local governments and many medium-sized companies are particularly affected."

"Most of the vulnerabilities are months old and security patches are available," a BSI spokesperson told The Register. "Even if administrators are not responsible fort he quality of the software (Microsoft is), they must now act quickly and consistently." ®