17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns

Around 12% of the 45,000 or so Microsoft Exchange servers in Germany that can be accessed from the Internet without restrictions “are so outdated that security updates are no longer offered for them,” the German Federal Office for Information Security (BSI) has warned today.

Also, around 25 percent of all those internet-facing servers run Exchange 2016 and 2019, but are not up-to-date with security patches.

Urgent action is needed

The BSI worries about attackers breaching those servers by exploiting CVE-2024-21410, a critical elevation of privilege bug that allows attackers to learn a targeted user’s NTLM credentials and “relay” them to authenticate themselves to a vulnerable Exchange Server as the user.

A fix for CVE-2024-21410 has been provided by Microsoft, and the company advised upgrading to:

• Exchange Server 2019 Cumulative Update (CU) 14, which enforces already existing mitigations (Extended Protection for Authentication) against NTLM relay attacks
• Exchange Server 2016 CU23, then turning Extended Protection on by using a Microsoft-provided script

Microsoft said that it “was aware of exploitation of this vulnerability,” and it has subsequently been added to CISA’s Known Exploited Vulnerabilities catalog.

“There is also another vulnerability in Microsoft Exchange, for which security updates were recently made available,” the BSI stated – likely referring to CVE-2024-26198, a DLL loading vulnerability that could allow unauthenticated attackers to achieve remote code execution on unpatched servers, which has been fixed in March 2024.

“If these updates are not installed, the threat situation increases further,” the BSI noted. This means that at least 17,000 instances of Microsoft Exchange servers in Germany – and likely more of them – are vulnerable to one or more critical vulnerabilities.

The BSI called on operators of Microsoft Exchange instances to use current versions, install available security updates and configure the instances securely.

How many more vulnerable Microsoft Exchange servers are out there?

The Shadowserver Foundation currently detects over 17,800+ internet-facing Exchange Servers around the world vulnerable to CVE-2024-21410, 73,300+ possibly vulnerable to CVE-2024-21410 (due to the unknown “Extended Protection applied” status), and 70,000+ vulnerable to CVE-2024-26198.

BSI said that its CERT has been notifying network operators in Germany via email about IP addresses in their networks where known vulnerable Exchange servers are located.