Germany’s leading cybersecurity agency is urging vulnerable organizations to update their outdated Microsoft Exchange software and apply all available security updates.
The German Federal Office for Information Security (BSI) reported that at least 17,000 Exchange servers are at risk due to one or more critical flaws. Cybercriminals and state-sponsored actors are already exploiting many of these vulnerabilities to distribute malware and conduct cyber espionage or ransomware attacks, the agency noted.
The report didn’t point to any examples, but it said local schools, universities, medical facilities, judicial services, local governments, and medium-sized businesses are facing serious threats.
The BSI says it has repeatedly warned about the active exploitation of critical vulnerabilities in Microsoft Exchange since 2021, even temporarily elevating the IT threat level to “red.”
“Nevertheless, the situation has not improved since then, as many Exchange server operators continue to be very negligent in providing security updates,” the report said.
A lot of companies are too slow to address vulnerabilities with available fixes. Even with critical vulnerabilities, it may take months or more for administrators to apply patches. These delays create the perfect opportunities that criminals actively seek.
A total of 45,000 Microsoft Exchange servers in Germany are currently accessible from the internet, the agency explained, and about 12% of these servers are so outdated that they no longer receive security updates.
Furthermore, around 25% of all servers in Germany use the 2016 and 2019 versions of Exchange but haven’t updated to the latest patches, leaving these servers exposed to several critical vulnerabilities.
“The fact that there are tens of thousands of vulnerable installations of such relevant software in Germany must not happen,” said Claudia Plattner, president of the BSI.
“Companies, organizations, and authorities unnecessarily endanger their IT systems and thus their added value, their services or their own and third-party data, which may be highly sensitive. Cybersecurity must finally be high on the agenda. There is an urgent need for action!,” she added.