Over 350,000 Exchange servers around the world are still exposed to a critical vulnerability patched by Microsoft in February and actively being exploited in the wild, according to Rapid7.
The security vendor deployed its Project Sonar scanning apparatus to find that over 82% of the 433,464 Exchange servers it detected were still vulnerable as of March 24.
Discovered by Trend Micro’s Zero Day Initiative, the vulnerability in question, CVE-2020-0688, allows for remote code execution on unpatched systems if the Exchange Control Panel (ECP) interface is accessible to the attacker and they have a working credential for it.
After Rapid7 itself released a Metasploit module related to the bug, security researchers at Volexity spotted “multiple APT actors” trying to exploit the vulnerability at the beginning of March.
“Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc, limiting what an attacker can do with a compromised password,” the vendor explained.
“This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account. This issue further underscores why changing passwords periodically is a good best practice, regardless of security measures like 2FA.”
Rapid7 Labs manager Tom Sellers urged affected organizations to update Exchange immediately and check for compromise.
However, Project Sonar also revealed more widespread security deficiencies. It found over 31,000 Exchange 2010 servers around the world that have not been updated since 2012, while almost 800 Exchange 2010 servers have never been updated.
“In addition to the high numbers of servers that are missing multiple updates, there is a concerning number of Exchange 2007 and 2010 servers,” Sellers added.
“Exchange 2007 transitioned to End of Support (EoS) status nearly three years ago on April 11 2017. No security updates, bug fixes, timezone updates, etc., are provided after that date. Exchange 2007 does not have the vulnerability described by CVE-2020-0688 but if it did, it would not have been fixed.”