German government warns thousands of Microsoft Server instances are at risk online

News
By Sead Fadilpašić
published

Many organizations are using outdated Microsoft Server versions

Close up of a person touching an email icon.
Image Credit: Pixabay (Image credit: Geralt / Pixabay)

The German government has once again warned education organizations, law firms, healthcare companies, and others, that their Microsoft Exchange servers are vulnerable, meaning they could be a prime candidate for cyberattacks.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) released a new security paper, in which it warned that roughly 45,000 Microsoft Exchange Servers in the country have Outlook Web Access (OWA) enabled, making them accessible from the internet. 

Of that number, roughly one in eight (12%) use Exchange instances that are long past their end-of-life dates (versions 2010 and 2013, which received their last updates in October 2020 and April 2023). Then, there are Exchange servers 2016 and 2019, 28% of which haven’t been patched for months and are vulnerable to at least one critical severity flaw that can be used to run malicious code, remotely.

"Shadow vulnerability"

"Overall, at least 37% of Exchange servers in Germany (and in many cases also the networks behind them) are severely vulnerable. This corresponds to approx. 17,000 systems. In particular, many schools and colleges, clinics, doctor's offices, nursing services and other medical institutions, lawyers and tax consultants, local governments, and medium-sized companies are affected," the BSI said in the paper, BleepingComputer translates.

This is not the first time the BSI is warning organizations in the country about Exchange. In 2021, it did the same thing, even describing the situation in the country as “situation ‘red’”, BSI reminds. “Nevertheless, the situation has not improved since then, as many Exchange server operators continue to act very carelessly and do not release available security updates in a timely manner."

Organizations using Microsoft Exchange servers should make sure they always use the latest version and apply the security patches as soon as they’re available.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.