Over 247,000 Microsoft Exchange Servers remain unpatched for serious RCE bug

The CVE-2020-0688 flaw is being actively exploited in the wild, US federal agencies warned earlier this month

More than 247,000 Microsoft Exchange servers around the world are still exposed to the critical CVE-2020-0688 remote code execution (RCE) vulnerability, which hackers are actively exploiting in the wild.

That's according to the researchers from cyber security firm Rapid7, who used their Project Sonar scanning apparatus to find out how many internet-facing Exchange servers were still unpatched against the CVE-2020-0688 flaw. Microsoft patched the vulnerability earlier this year.

The scan showed that more than 60 per cent of the 405,873 Exchange servers that were reachable on the internet were still exposed to CVE-2020-0688 as of the 21st September 2020.

The researchers found that that 87 per cent of nearly 138,000 Exchange 2016 servers, and 77 per cent of about 25,000 Exchange 2019 servers, remained unpatched. Moreover, nearly 54,000 Exchange 2010 servers on the internet had not received any security update in the last six years.

More alarmingly, the analysis revealed that over 16,550 Exchange 2007 servers are reachable over the internet. This version reached end-of-life in April 2017, meaning that no updates or bug fixes have been applied since that date.

CVE-2020-0688 is a post-authentication vulnerability in the Exchange Control Panel (ECP) web application, which could allow hackers to use previously stolen valid user account credentials to take over a vulnerable Exchange server. The vulnerability arises when an Exchange server fails to generate a unique cryptographic key at installation, resulting in deserialisation of untrusted data.

After successfully exploiting the bug, an attacker can remotely execute arbitrary code on the system with system-level privileges. In some cases, they can also compromise the entire Exchange environment - including email - as well as Active Directory, Microsoft's identity and access management tool. Computing's own research, for Delta, shows that more than two-thirds of businesses use Active Directory as their main I&AM solution.

An anonymous security researcher discovered CVE-2020-0688, reporting it to Microsoft via Trend Micro's Zero Day Initiative. The firm patched the bug in February 2020, and tagged it with an "Exploitation More Likely" exploitability index assessment.

In March, researchers at cyber security firm Volexity warned that multiple state-sponsored threat groups were exploiting the bug to steal sensitive information from vulnerable email servers. The NSA and CISA later issued an alert advising organisations to immediately patch their servers against the vulnerability.

The bug affects all supported Microsoft Exchange Server versions, including Exchange 2010, 2013, 2016, and 2019.

Earlier this month, the US federal agencies issued a joint advisory to warn that Chinese state-sponsored hackers have been attempting to exploit CVE-2020-0688 and several other vulnerabilities to target government and private sector entities in the US.

Rapid7 Labs advises organisations to address the risks posed by CVE-2020-0688, immediately. The first step is to ensure that Exchange servers have been updated; specifically, any server operating with the ECP enabled must be patched immediately.

Admins should also use technical tools to determine whether their systems show any signs of compromise.