Over 350,000 of all Microsoft Exchange servers have not been patched against the CVE-2020-0688 post-auth remote code execution vulnerability impacting all supported Microsoft Exchange Server versions.
A patch arrived in Microsoft's February 11 patch, but few organizations have actually moved forward with applying it to their servers.
Microsoft has encouraged admins to apply the patch as soon possible, tagging it with an "Exploitation More Likely" exploitability index assessment, hinting that the vulnerability may be an attractive target for attackers. The company also said that it anticipates future attacks on the remote code execution vulnerability, making the recently released patch even more important.
Microsoft announces SaaS developer pack for Outlook Outlook finally gets friendly with Firefox Microsoft Outlook for iOS review Microsoft Outlook.com: Need to Know
Attacks on vulnerable Exchange mail servers began in February. These attacks followed the release of a technical report that detailed how the bug worked. This report was then followed by multiple proof-of-concept exploits, along with a Metasploit module.
Now, nearly two months later, Rapid7 researchers used its Project Sonar to scan the internet and identified at least 82.5% of the 433,464 Exchange servers in the scan were vulnerable to CVE-2020-0688.
To make matters worse, many of the servers tagged by Rapid7 as being safe against attacks may also be vulnerable because many updates to the server did not include an update to the build numbers.
"There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise," Rapid7 Labs senior manager Tom Sellers explained.
RELATED RESOURCE
Five essentials of a secure modern workplace
The CIO's guide to unleashing productivity whilst minimising risk
Compromised user accounts and accounts that have been used in attacks against Exchange servers can be discovered by checking Windows Event and IIS logs for portions of encoded payloads, including either the "Invalid viewstate" text or the __VIEWSTATE and __VIEWSTATEGENERATOR string for requests to a path under /ecp.
Microsoft says that because there are no mitigating factors for this vulnerability, patching your servers before attackers locate them and compromise your entire network is of the utmost importance.
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
Server sales are skyrocketing – and growth shows no sign of slowing downNews The rise in AI has helped push server sales to the second highest growth rate since 2019, nearly doubling since last year.
-
The Total Economic Impact™ of the Intel vPro® platform as an endpoint standardwhitepaper Protection across AI attack vectors
-
Testing the Value of Dell™ PowerEdge™ R750 Servers with Windows Server® 2022 Preinstalledwhitepaper Protection across AI attack vectors
-
Discover the six superpowers of Dell PowerEdge serverswhitepaper Transforming your data center into a generator for hero-sized innovations and ideas.
-
AI enablement and built-in security are must-have features on modern storage environmentswhitepaper Modernize storage infrastructure to serve future application demands
-
Accelerate AI initiatives on Dell VxRailwhitepaper Protection across AI attack vectors
-
Choose high data-efficiency technology for lower storage TCOwhitepaper Choose high data-efficiency technology for lower storage TCO
-
PowerStore resiliencywhitepaper PowerStore resiliency
