Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven't yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.

This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.

Microsoft patched this RCE bug on the February 2020 Patch Tuesday and tagged it with an "Exploitation More Likely" exploitability index assessment, hinting at the vulnerability being an attractive target for attackers.

Cyber-security firm Rapid7, the one behind the Metasploit penetration testing framework, added a new MS Exchange RCE module to the pen-testing tool on March 4, following multiple proof-of-concept exploits having surfaced on GitHub.

Both the NSA and CISA later issued warnings that urged organizations to patch CVE-2020-0688 as soon as possible seeing that multiple APT groups have already started exploiting it in the wild.

82.5% of all found Exchange servers not yet patched

Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.

As they found, "at least 357,629 (82.5%) of the 433,464 Exchange servers" are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.

To make matters even worse, some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable given that "the related Microsoft update wasn’t always updating the build number."

Part of Rapid7's CVE-2020-0688 scan (Rapid7)

Furthermore, "there are over 31,000 Exchange 2010 servers that have not been updated since 2012," as the Rapid7 researchers observed. "There are nearly 800 Exchange 2010 servers that have never been updated."

They also found 10,731 Exchange 2007 servers and more than 166,321 Exchange 2010 ones, with the former already running End of Support (EoS) software that hasn't received any security updates since 2017 and the latter reaching EoS in October 2020.

Rapid7's results line up with a report from Kenna Security from March 13 saying that only 15% of all Exchange servers they found were patched for CVE-2020-0688 until March 11.

If your org uses Microsoft Exchange I *strongly* recommend you make sure the patch for CVE-2020-0688 (Feb 11) is installed.



Unpatched means phished user = SYSTEM on OWA servers.@Rapid7 Project Sonar found at least 357,629 unpatched hosts.



Blog post: https://t.co/DclWb3T0mZ — Tom Sellers (@TomSellers) April 6, 2020

Patch against CVE-2020-0688 ASAP

"There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise," Rapid7 Labs senior manager Tom Sellers further explained.

User accounts compromised and used in attacks against Exchange servers can be discovered by checking Windows Event and IIS logs for portions of encoded payloads including either the "Invalid viewstate" text or the __VIEWSTATE and __VIEWSTATEGENERATOR string for requests to a path under /ecp.

Since Microsoft says that there are no mitigating factors for this vulnerability, the only choice left, as Rapid7 also advises, is to patch your servers before hackers find them and fully compromise your entire network — unless you're willing to reset all user accounts' passwords to render previously stolen credentials useless.

Download links to security updates for vulnerable Microsoft Exchange Server versions needed to deploy the update and related KB articles are available in the table below: