More than 350,000 Microsoft Exchange servers have not been patched against the CVE-2020-0688 post-auth remote code execution vulnerability, according to Bleeping Computer.
That means less than 20 percent of all publicly-facing Exchange servers on the internet have been secured against the flaw.
The vulnerability, which allows criminals to send malicious serialised data through malformed requests to the ECP, is present in all supported versions of Microsoft Exchange Server.
The flaw was patched two months ago, at which time Microsoft explained the vulnerability wasn’t yet being exploited in the wild, but that exploitation was “more likely” in future.
Cybersecurity firm Rapid7 used its Project Sonar internet-wide survey tool to survey the number of unpatched servers, finding at least 357,629 (of the total 433,464) remain vulnerable.
Rapid7 also notes "there are over 31,000 Exchange 2010 servers that have not been updated since 2012,” and that almost 800 servers have never been updated.
"There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise," advised Tom Sellers, Senior Manager at Rapid7 Labs.