How legacy software will kill you - 20,000 legacy Microsoft Exchange servers are active globally

published: Dec. 2, 2023

Take action: Running a legacy version of an internet connected software is a guaranteed recipe for a disaster. Don't "plan to replace them". Replace them now, even if it means going to a cheap cloud service. You are not saving money by running these systems - you spend a lot of money on hardware, people and you will pay massively more when you get hacked.

Learn More

A massive number of legacy Microsoft Exchange email servers across Europe, the U.S., and Asia. These servers by their very nature are publicly accessible and are vulnerable to various attacks due to running outdated software versions that are no longer supported and thus do not receive updates.

Data from The ShadowServer Foundation reveals nearly 20,000 Exchange servers still functioning and accessible via the internet, which are way beyond their End of Life stage. A majority of these servers are located in Europe, with significant numbers also in North America and Asia.

A key point is the continued operation of Exchange Server 2007, despite its end-of-life (EoL) status.

Security researcher Yutaka Sejiyama investigated data on Shodan and found over 30,000 legacy Microsoft Exchange servers:

  • 275 instances of Exchange Server 2007,
  • 4,062 of Exchange Server 2010,
  • 26,298 of Exchange Server 2013.

Sejiyama's research also highlights a worrying trend: the global number of EoL Exchange servers has only decreased by 18% since April, dropping from 43,656 to 30,635. This slow rate of update indicates a persistent vulnerability.

These outdated servers are prone to multiple remote code execution flaws, including the well-known ProxyLogon issue (CVE-2021-26855), which can be combined with another vulnerability (CVE-2021-27065) for remote code execution. Sejiyama's data suggests that around 1,800 Exchange systems are vulnerable to ProxyLogon, ProxyShell, or ProxyToken vulnerabilities.

The ShadowServer Foundation's scan revealed these machines are susceptible to various security flaws, like:

  • CVE-2020-0688,
  • CVE-2021-26855 (ProxyLogon),
  • CVE-2021-27065 (part of the ProxyLogon exploit chain),
  • CVE-2022-41082 (part of the ProxyNotShell exploit chain),
  • CVE-2023-21529,
  • CVE-2023-36745,
  • CVE-2023-36439.

While not all these vulnerabilities are critically severe, they are deemed "important" by Microsoft and are tagged as likely to be exploited.

Microsoft advises prioritizing updates for servers with external exposure. The only viable solution for servers that have reached their end of support is upgrading to a version that still receives security updates.

How legacy software will kill you - 20,000 legacy Microsoft Exchange servers are active globally