Just 17 per cent of all internet-facing Microsoft Exchange servers are patched against CVE-2020-0688 vulnerability

More than 31,000 Exchange 2010 servers have received no update since 2012

More than 80 per cent of the Microsoft Exchange Servers exposed on the internet are still vulnerable to the CVE-2020-0688 remote code execution (RCE) bug which was patched by Microsoft in February 2020, researchers have found.

The researchers from cyber security firm Rapid7 said that they used the Project Sonar tool last month to check how many internet-facing Exchange servers were still unpatched against the CVE-2020-0688 post-authentication RCE flaw, which affects all supported Microsoft Exchange Server versions.

The research team found 357,629 Microsoft Exchange servers out of 433,464 that were still unpatched against the vulnerability as on 24th March 2020. That means just 17 per cent of the Exchange servers reviewed by the researchers are currently safe from attacks launched using CVE-2020-0688 flaw.

The team also discovered more than 31,000 Exchange 2010 servers that had not received any update since 2012, and nearly 800 Exchange 2010 servers that have never been updated by IT admins, and many that were now unsupported by Microsoft.

"In addition to the high numbers of servers that are missing multiple updates, there is a concerning number of Exchange 2007 and 2010 servers," Rapid7 Labs senior manager Tom Sellers explained in an online post.

"Exchange 2007 transitioned to End of Support (EoS) status nearly three years ago on April 11, 2017. No security updates, bug fixes, timezone updates, etc., are provided after that date. Had this vulnerability affected Exchange 2007, it would not have been fixed."

The CVE-2020-0688 vulnerability exists in the Exchange Control Panel (ECP) web application and could enable hackers to hijack unpatched Microsoft Exchange servers using a previously stolen valid user account. The flaw arises when Exchange server fails to generate a unique cryptographic key at installation, resulting in deserialisation of untrusted data.

A successful exploitation of the flaw enables the attacker to remotely execute arbitrary code with system-level privileges.

Sometimes, it also becomes possible for the attacker to compromise the entire Exchange environment—including email—as well as the entire Active Directory.

The vulnerability was uncovered by an anonymous security researcher, who reported it to Microsoft via Trend Micro's Zero Day Initiative. Microsoft released a patch for the bug in February 2020, and tagged the bug with an "Exploitation More Likely" assessment, suggesting that it could be an attractive target for hackers.

Last month, researchers at cyber security firm Volexity warned that they had detected multiple state-sponsored threat groups exploiting CVE-2020-0688 in efforts to target Microsoft Exchange email servers.

The researchers also said that it is likely that other hacking groups, including ransomware gangs, start targeting the vulnerable servers in coming days.