More than 85,000 Microsoft Exchange servers are still remain unpatched against several remote code execution flaws fixed by Microsoft back in February 2023, a new research found.

The vulnerabilities in question are tracked as CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707 and allow threat actors to remotely execute code on the target machine.

Although there have been no reports at the time about attacks exploiting these bugs, Microsoft urged organizations to update their servers as soon as possible, as the flaws potentially could have been used by hackers to gain initial access to a corporate network.

However, an analysis conducted by the Cybernews team showed that almost three months after security updates were released many organizations using Microsoft Exchange software still remain vulnerable.

The team found that one in three MS Exchange servers are still left unpatched, with most of them (over 18,000) located in Germany.

Out of 248,350 internet-connected Microsoft Exchange servers studied by researchers, 85,261 or 34.33% were exposed to the RCE vulnerabilities.

The US is the second most affected country, with nearly 16,000 servers still left unpatched, followed by the UK (3,734), France (2,959), the Netherlands (2,906), and Russia (2,775).

Researchers also analyzed Exchange version distribution and found that in most Western countries, newer but still vulnerable versions were more common, except for the first minor version in a major release (e.g., version 15.2.986.5 instead of 15.2.986.41).

In case of China and Russia, researchers found that there was a preference for older versions of MS Exchange 2016, although newer versions were still used in the 2019 and 2013 releases.

Although months have passed since the RCE flaws were identified, the number of unpatched Exchange servers is barely declining. According to the Shadowserver Foundation stats, the number of vulnerable servers in February was around 87,000, the researchers noted.