Over 350,000 Microsoft Exchange servers are still exposed to a critical remote execution flaw (CVE-2020-0688), even though Microsoft has addressed this bug nearly two months ago.
The vulnerability in question resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers fail to properly create unique keys at install time. A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.
An internet-wide scan conducted by Rapid7 researchers revealed that at least 357,629 (82.5%) of the 433,464 observed Exchange servers are still vulnerable.
Furthermore, the research showed that over 31,000 Exchange 2010 servers have not been updated since 2012, nearly 800 Exchange 2010 servers have never been updated, and there are concerning numbers of Exchange 2007 servers (10,731) and Exchange 2010 servers (more than 166,000). The former version is no longer supported, and the latter will reach end of support in October 13, 2020.
As researchers pointed out, Exchange 2007 is not affected by the CVE-2020-0688 vulnerability, but if it did, it would not have been fixed.
“There are two important efforts that Exchange administrators and InfoSec teams need to make: verify the deployment of the update and look for signs of compromise. The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled. This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA),” Rapid7 Labs senior manager Tom Sellers explained.