Technology

BSI renews warning: Thousands of Exchange servers vulnerable

The Federal Office for Information Security (BSI) is again warning of security gaps in Microsoft Exchange Servers. Despite previous warnings, thousands of servers remain unpatched and vulnerable to cyberattacks. What is behind this ongoing problem?

Alarming downtime on Exchange servers

The Federal Office for Information Security (BSI) is sounding the alarm again: Thousands of Microsoft Exchange servers in Germany continue to have critical security gaps (via Günter Born). This worrying situation exists despite repeated warnings and the availability of security updates. The CERT-Bund, the BSI’s computer emergency unit, has published current figures that underline the urgency of the situation.

According to CERT-Bund, around 12,000 Microsoft Exchange Servers 2016 and 2019 can be accessed via the Internet with open Outlook Web Access (OWA), but do not have the latest security levels. This corresponds to around 28 percent of all Exchange servers of these versions in Germany. What is particularly alarming is that for around 6,500 systems, or 15 percent, the last security patch was installed over a year ago.

Critical security vulnerability

Two particularly critical vulnerabilities are the focus of the BSI warning. The vulnerability, known as CVE-2024-26198, allows an unauthenticated attacker to execute remote code. Microsoft has given this vulnerability a high risk score of 8.8. A patch to fix this was already released in March 2024.

Another serious vulnerability, CVE-2023-36439, allows authenticated attackers to gain extensive system privileges. This vulnerability was closed by Microsoft in November 2023. The fact that many servers are still vulnerable to these older vulnerabilities clearly shows how careless many organizations are with their IT systems.

Reasons for lack of patch discipline

The question that arises: Why are these critical updates not installed even though they are available for free? Experts suspect various reasons:

  • Lack of resources: Many IT departments are understaffed and do not have the capacity for regular maintenance.
  • Complexity: Updates can cause compatibility issues in complex environments.
  • Lack of prioritization: Cybersecurity is often not perceived as business-critical.
  • Outdated systems: Older versions of Exchange may no longer be updateable.

The consequences of this negligence can be serious. Unprotected Exchange servers are a popular target for cybercriminals, who can exploit these vulnerabilities to steal sensitive data or launch ransomware attacks.

BSI recommendation for action

The BSI is urging companies and organizations to update their Exchange servers immediately. The following steps are recommended:

  • Instant installation of all available security updates
  • Regularly check patch status
  • Implement additional security measures such as two-factor authentication
  • Consider migrating to cloud-based solutions for better maintainability

 

Share
Published by
Yasir Zeb

Recent Posts

Crash in the smartphone market: lowest sales figures in 13 years

The global smartphone market is experiencing a severe downturn, recording its worst quarter in 13…

14 hours ago

Pixel 11: Mega leak shows images and data from the new Google smartphones

Amazon made a big mistake and revealed the entire lineup of the Google Pixel 11…

14 hours ago

Top 10 Payment Card Tools for Everyday Digital Finance

A payment card is easiest to understand when users see how it fits into real…

20 hours ago

OnePlus is ‘dead’: Oppo wants to soon announce its withdrawal from the EU & USA

OnePlus will soon be history. At least in Europe and the USA. What has been…

20 hours ago

Switch 2 OLED: Nintendo is apparently planning a display upgrade after all

Nintendo is reportedly still internally planning an OLED version of the Switch 2 for the…

20 hours ago

Maps: Google launches major visual update with immersive navigation

Google appears to be starting to distribute the new immersive navigation for Google Maps. The…

20 hours ago