Security Experts:

Connect with us

Hi, what are you looking for?



Over 80,000 Exchange Servers Still Affected by Actively Exploited Vulnerabilities

Roughly 80,000 Exchange servers have yet to receive patches for the actively exploited vulnerabilities, Microsoft says.

Roughly 80,000 Exchange servers have yet to receive patches for the actively exploited vulnerabilities, Microsoft says.

The bugs were publicly disclosed on March 2, when the Redmond-based tech giant announced not only patches for them, but also the fact that a Chinese threat actor had been actively exploiting them in attacks.

Within days, security researchers revealed that multiple adversaries were quick to pick up exploits for the Exchange bugs, but also that some had been targeting the flaws even before patches were released. The first known exploitation attempt is dated January 3, 58 days before public disclosure.

Over the course of last week, Microsoft released additional fixes for these vulnerabilities, including security updates (SUs) for older and unsupported Exchange Server versions, or Cumulative Updates (CU), as the company calls them.

“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs,” Microsoft said.

With the latest set of released updates, more than 95% of the Exchange Server versions that are exposed to the Internet are covered, yet tens of thousands of machines remain vulnerable. Microsoft revealed that, as of March 12, more than 82,000 Exchange servers were still left to be updated (out of 400,000 identified on March 1).

Last week, ESET reported that more than 10 threat actors were observed targeting vulnerable Exchange servers. Ransomware operators also started targeting the flaws, and the overall number of attacks aimed at the Exchange zero-days grew exponentially over the course of several days only.

On Sunday, security researchers at Check Point pointed out that “the number exploitation attempts multiplied by more than 6 times” within “the past 72 hours alone,” adding that they had identified more than 4,800 exploits and hundreds of compromised organizations worldwide.

The United States was being targeted the most, accounting for 21% of all exploitation attempts, followed by the Netherlands and Turkey, both at 12%. According to Check Point, government/military was the sector being targeted the most (27% of attempts), followed by manufacturing (22%) and software (9%).

“As we enter the second week since the vulnerabilities became public, initial estimates place the number of compromised organizations in the tens of thousands,” Palo Alto Networks said last week.

In a timeline of the attacks, the security firm revealed that the first two bugs were identified on December 10 and 30, 2020, respectively, and reported to Microsoft on January 5, 2021. A third security hole was identified and reported while already under attack, on January 27.

“Ongoing research illustrates that these vulnerabilities are being used by multiple threat groups. While it is not new for highly skilled attackers to leverage new vulnerabilities across varying product ecosystems, the ways in which these attacks are conducted to bypass authentication — thereby providing unauthorized access to emails and enabling remote code execution (RCE) — is particularly nefarious,” Palo Alto Networks noted.

Microsoft published additional information on how organizations can protect their on-premises Exchange servers against exploitation, reiterating that applying the available patches represents the first step, followed by identifying possibly compromised systems and removing them from the network.

Related: Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet