Information security experts from Rapid7 reported that more than 35,000 Internet-connected Microsoft Exchange servers are still vulnerable to the critical vulnerability CVE-2020-0688 that was fixed in February.
The vulnerability affects the default Exchange Control Panel (ECP) component and allows an attacker to take control of a Microsoft Exchange server using previously stolen valid email credentials.
“The vulnerability was fixed on February 11, 2020 with the release of planned security updates from Microsoft. The company itself identified the probability of exploiting the vulnerability as “very high”, which means that it is an attractive target for hackers“, – said Rapid7 experts.
I have already reported in February about active scanning of the Network in search of vulnerable Microsoft Exchange servers.
According to Rapid7, currently 357,629 of 433,464 Microsoft Exchange servers (82.5%) are still vulnerable to attacks using CVE-2020-0688. Moreover, servers that are considered upgraded can still be vulnerable, since the corresponding patch from Microsoft does not update all OS builds.
“Even worse, about 31 thousand Microsoft Exchange 2010 servers are connected to the Internet, and have not been updated since 2012, and 800 of them have never received updates”, – say Rapid7 researchers.
Researchers also found 10 731 servers running Microsoft Exchange 2007, which ended in 2017, and 166 321 servers running Microsoft Exchange 2010, which will no longer be supported in October this year.
Rapid7 experts strongly recommend that companies using Microsoft Exchange make all the necessary updates.
The most important step is to determine whether Exchange has been updated. The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled. This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA).
The most reliable method to determine whether the update is installed is by checking patch management software, vulnerability management tools, or the hosts themselves to determine whether the appropriate update has been installed. You can find the list of updates in the Microsoft advisory for CVE-2020-0688.