Eight months after Microsoft addressed the CVE-2020-0688 vulnerability affecting Microsoft Exchange servers 61% of Exchange servers (Exchange 2010, 2013, 2016, and 2019) is still vulnerable to exploitation, a new research from the cybersecurity firm Rapid7 revealed.
CVE-2020-0688 resides in the Exchange Control Panel (ECP) component and stems from the fact that Exchange Server fails to properly create unique cryptographic keys at the time of installation. This flaw allows a remote, authenticated attacker to execute arbitrary code with SYSTEM privileges on a server and fully compromise it.
Microsoft fixed the flaw as part of its February 2020 Patch Tuesday release, but the Rapid7 ‘s investigation showed that over 247,000 Microsoft Exchange servers (61% percent out of a total of 405,873 Exchange installs) are still remain unpatched.
The researchers said that 87% of almost 138,000 Exchange 2016 servers and 77% of nearly 25,000 Exchange 2019 servers are still vulnerable to CVE-2020-0688 attacks, and roughly 54,000 Exchange 2010 servers have not been updated in six years. The research also revealed 16,577 servers running Exchange 2007 (an unsupported Exchange version that did not receive security updates to protect against CVE-2020-0688 attacks) are reachable over the Internet.
In March, the cybersecurity firm Volexity reported about multiple attempts by nation-state hackers to exploit this vulnerability. Administrators could detect compromised Exchange accounts by checking Windows Event and IIS logs for parts of encoded payloads including the "Invalid viewstate" text or the __VIEWSTATE and __VIEWSTATEGENERATOR strings for requests to a path under /ecp (usually /ecp/default.aspx).