One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years

News
By
published

Nearly all Microsoft Exchange Server instances are unpatched, experts warn

Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
(Image credit: Shutterstock)
  • A security vulnerability in Microsoft Exchange servers remains largely unpatched
  • A fix was issued four years ago, but some users clearly didn't update
  • This flaw may have aided the hacking group Salt Typhoon

Critical security vulnerabilities seem to be a regular occurrence in technology reporting, with countless patches and updates to keep track of - but this Microsoft Exchange Server flaw might be one to take very seriously.

Most of us will be familiar with the major incident in which 9 US telecom giants were breached in what appeared to be a Chinese state sponsored cyber-espionage campaign. The attack, attributed to hacking group Salt Typhoon, is said to have, at least in part, exploited a known critical security flaw in Microsoft Exchange Server.

The vulnerability, nicknamed ProxyLogon, was disclosed by Microsoft in 2021, and a patch has been available for 4 years. Despite this, cyber-risk management company Tenable has calculated in nearly 30,000 instances affected by ProxyLogon, 91% remain unpatched.

CISA guidance

The US Cybersecurity and Infrastructure Security Agency (CISA) previously released in-depth guidance on strengthening visibility and hardening systems and devices in response to the breach, and have emphasized end-to-end encryption for secure communications.

The ProgyLogon is one of five commonly exploited vulnerabilities used by Salt Typhoon. Others include Ivanti Connect Secure Command Injection and Authentication Bypass vulnerabilities, as well as a Sophos Firewall Code Injection Vulnerability.

In light of this, the recommendation and advice for any security teams out there is to always patch where available, and keep as up to date as possible on any software for potential vulnerabilities or fixes.

“In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks” said Federal Communications Commission Chairwoman Jessica Rosenworcel.

“Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.”

You might also like

TOPICS
Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Data leak
Zyxel, ProjectSend, CyberPanel vulnerabilities actively exploited, so patch now
Best free Linux firewalls
SonicWall tells admins to patch worrying SSLVPN flaw immediately
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Microsoft
Microsoft names cybercriminals who created explicit deepfakes
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Latest in News
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Pulchra Fellini in Zenless Zone Zero.
Zenless Zone Zero Version 1.6 will finally let you play as a furry gunslinger
Two hands holding the Tecno Spark Slim phone
The world’s thinnest phone was just revealed, but a new iPhone 17 Air leak suggests it could be even slimmer
Polish space agency says it was hit by a cyberattack
The new limited edition Ray-Ban Meta smart glasses show a translucent design.
Ray-Ban and Meta just teased new limited-edition smart glasses – but they'll be in frustratingly short supply
More about security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.

US set to pause cyber-offensive operations against Russia - but CISA says it won't stop

Web DDoS attacks see major surge as AI allows more powerful attacks
A D-pad in the PlayStation Plus logo

Sony is now issuing PS Plus compensation following the recent PSN outage
See more latest
Most Popular
A D-pad in the PlayStation Plus logo
Sony is now issuing PS Plus compensation following the recent PSN outage
Princess Tiana holding a frog in her hand and smiling in The Princess and the Frog.
Disney+ reportedly cancels plans to make an offshoot series of The Princess and the Frog, and that’s not the only streaming project it’s abandoning
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Two hands holding the Tecno Spark Slim phone
The world’s thinnest phone was just revealed, but a new iPhone 17 Air leak suggests it could be even slimmer
Google Pixel 9 Pro
Google Password Manager may be set to introduce a nuclear option for its Android app
Pulchra Fellini in Zenless Zone Zero.
Zenless Zone Zero Version 1.6 will finally let you play as a furry gunslinger
Web DDoS attacks see major surge as AI allows more powerful attacks
The new limited edition Ray-Ban Meta smart glasses show a translucent design.
Ray-Ban and Meta just teased new limited-edition smart glasses – but they'll be in frustratingly short supply
Polish space agency says it was hit by a cyberattack
OnePlus Watch 3
The OnePlus Watch 2 won't get Wear OS 5 until Q3 of this year, and the news for the OnePlus Watch 3 is even worse