Application security, Vulnerability Management

After a year of Exchange exploits, Microsoft presses customers to patch on-prem servers

Microsoft CES 2023 booth

Following a year rife with Exchange exploits, Microsoft urged customers to keep their on-premises Exchange servers patched and updated, warning that attackers "are not going to go away." 

The company's Exchange Team advised in a blog post yesterday that customers should install the latest available Cumulative Update (CU) and Security Update (SU) on all the exchange servers while occasionally performing manual tasks to harden the environment. 

"Attackers looking to exploit unpatched Exchange servers are not going to go away. There are too many aspects of an unpatched on-premises environment that are valuable to bad actors," the blog post warned. "First, user mailboxes often contain critical and sensitive data. Second, every Exchange server contains a copy of the company address book, which provides a lot of information that is useful for social engineering attacks, including organizational structure, titles, contact info, and more. And third, Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment." 

The warning comes after Microsoft asked customers to continue patching on-prem Exchange servers to address the ProxyLogon vulnerabilities. More recently, Microsoft patched another set of exchange bugs called ProxyNotShell, which affected Exchange Server 2013, 2016, and 2019 and allowed attackers to gain arbitrary or remote execution on compromised servers. 

Despite multiple high-impact vulnerabilities and repeated warnings from Microsoft, government agencies and news media, there are likely hundreds of thousands of internet-connected servers (at least) running older, exposed versions of Exchange today. According to an advisory published by the New Jersey Cybersecurity and Communications Integration Cell on Jan. 5, Shodan – which scans internet-connected assets around the globe - identified 60,000 unpatched Exchange servers still vulnerable to ProxyNotShell, including 17,000 in the United States alone, as well as another 40,000 servers still vulnerable to the ProxyLogon and ProxyShell exploits. 

Even those who keep up with their patching must be vigilant, as Microsoft has had to frequently update its Exchange software to account for new exploits designed to bypass previous security patches for the bugs.  

At the time of writing, the latest supported CUs are CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013. The latest SU is January 2023 SU.  

Both CUs and SUs are cumulative, meaning customers only need to install the latest available one. "You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU," the blog post explained.  

The company also said customers should always run the Exchange Server Health Checker script after installing updates. This helps detect common configuration issues that may cause performance problems and provides links to articles with step-by-step guidance for additional manual tasks that need to be performed.  

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.