CRITICAL: Vulnerable Exchange Server Report

DESCRIPTION LAST UPDATED: 2024-04-09

DEFAULT SEVERITY LEVEL: CRITICAL

This report contains a list of vulnerable Microsoft Exchange servers found through our daily IPv4 full Internet scans and IPv6 hitlist based scans.

Most vulnerability assessments are made on the version observed.

As of 2024-03-14 this scan contains information on services with the following remote code execution vulnerabilities:

Additionally, we also scan for EOL (end of life) versions of Microsoft Exchange servers. The following versions are tagged eol as of 2023-11-19:

  • 15.0.*
  • 14.*
  • 8.*
  • 6.*
  • 5.*
  • 4.*

If you receive an alert from us please make sure to upgrade your Microsoft Exchange server!

Notes on CVE-2024-21410

15.2.1544.04 is the first release of that series and is NOT vulnerable.

We tag as vulnerable any version less than:
15.2.1118.12
15.2.986.29
< 15.2.986 (anything less than this series)
15.1.2507.12
15.1.2375.31
< 15.1.22375 (anything less than this series)

We tag as possibly vulnerable (as they MAY have mitigations in place) any version greater than or equal to:
Anything in 15.2.1258.*
15.2.1118.12
15.2.986.29
15.1.2507.12
15.1.2375.31

Notes on CVE-2021-26855

The CVE-2021-26855 vulnerability assessment is made based on Microsoft’s http-vuln-cve2021-26855.nse nmap detection script.

Notes on CVE-2022-41082

If you receive an alert for CVE-2022-41082 make sure to apply the latest Microsoft patch (from November 8th, 2022). It is not enough to implement the previously recommended mitigation. As discovered by Crowdstrike, the mitigation proposed can be bypassed.

We make our assessment based on x_owa_version header.

Exchange Versions Vulnerable to CVE-2022-41080/CVE-2022-41082

2019
15.2.1118.15 - 15.2.1118.7 <-- strict match of all 4 numbers required
15.2.986.30 - 15.2.986.5 <-- strict match of all 4 numbers required
15.2.922.27 - 15.2.196.0 (anything less than or equal to 15.2.922 ) 
^^^ looser match of the first 3 numbers is required

2016
15.1.2507.13 - 15.1.2507.6 <-- strict match of all 4 numbers required
15.1.2375.32 - 15.1.2375.7 <-- strict match of all 4 numbers required
15.1.2308.27 - 15.1.225.16 (anything less than or equal to 15.1.2308) 
^^^ looser match of the first 3 numbers is required

2013
15.0.1497.31 - 15.0.1497.2 <-- strict match of all 4 numbers required
15.0.1473.6 - 15.0.516.32 (anything less than or equal to 15.0.1473)
^^^ looser match of the first 3 numbers is required

Dashboard

You can track vulnerable Exchange scan results on the Shadowserver Dashboard. You can also check for specific CVEs by selecting source “exchange” and the appropriate CVE tags here.

Full Exchange exposure (population scan) can also be found on the Shadowserver Dashboard.

For more information on our Exchange scanning efforts, please read about our previous special reports.

For more information on our scanning efforts, check out our Internet scanning summary page.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

This report comes in two versions, for IPv4 and IPv6.

Filename(s): scan_exchange, scan6_exchange.

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • severity
    Severity level
  • ip
    IP of the affected device
  • port
    Port response was received from
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • tag
    Array of tags. This would be exchange;cve-2021-26855
  • asn
    AS of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector of the IP in question
  • version
    Exchange version detected
  • servername
    Exchange server name
  • url
    URL

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","version","servername","url"
"2010-02-10 00:00:00",critical,192.168.0.1,tcp,443,node01.example.com,cve-2022-41082;cve-2023-21529;exchange,64512,ZZ,Region,City,0,scantarget,"Communications, Service Provider, and Hosting Service",15.1.2375.17,NODE01,
"2010-02-10 00:00:01",critical,192.168.0.2,tcp,443,node02.example.com,cve-2023-21529;exchange,64512,ZZ,Region,City,0,scantarget,"Communications, Service Provider, and Hosting Service",15.1.2375.34,NODE02,
"2010-02-10 00:00:02",critical,192.168.0.3,tcp,443,node03.example.com,cve-2023-36439;cve-2023-36745;exchange,64512,ZZ,Region,City,0,scantarget,"Education Services",15.1.2507.27,NODE03,

Our 131 Report Types