DESCRIPTION LAST UPDATED: 2024-04-09
DEFAULT SEVERITY LEVEL: CRITICAL
This report contains a list of vulnerable Microsoft Exchange servers found through our daily IPv4 full Internet scans and IPv6 hitlist based scans.
Most vulnerability assessments are made on the version observed.
As of 2024-03-14 this scan contains information on services with the following remote code execution vulnerabilities:
- CVE-2020-0688
- CVE-2021-26855
- CVE-2021-27065
- CVE-2022-41082
- CVE-2023-21529
- CVE-2023-36745 [tagging as of 2023-10-27]
- CVE-2023-36439 [tagging as of 2023-11-15]
- CVE-2024-21410 and possible CVE-2024-21410 [tagging as of 2024-02-17]. These are tagged
cve-2024-21410andpossible-2024-21410respectively. Thepossible-cve-2024-21410tag is used for instances where the version suggests a vulnerable version but the EPA mitigation may be in place. Please see Microsoft’s guidance for details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410 - CVE-2024-26198 [tagging as of 2024-03-14]
Additionally, we also scan for EOL (end of life) versions of Microsoft Exchange servers. The following versions are tagged eol as of 2023-11-19:
- 15.0.*
- 14.*
- 8.*
- 6.*
- 5.*
- 4.*
If you receive an alert from us please make sure to upgrade your Microsoft Exchange server!
Notes on CVE-2024-21410
15.2.1544.04 is the first release of that series and is NOT vulnerable.
We tag as vulnerable any version less than:
15.2.1118.12
15.2.986.29
< 15.2.986 (anything less than this series)
15.1.2507.12
15.1.2375.31
< 15.1.22375 (anything less than this series)
We tag as possibly vulnerable (as they MAY have mitigations in place) any version greater than or equal to:
Anything in 15.2.1258.*
15.2.1118.12
15.2.986.29
15.1.2507.12
15.1.2375.31
Notes on CVE-2021-26855
The CVE-2021-26855 vulnerability assessment is made based on Microsoft’s http-vuln-cve2021-26855.nse nmap detection script.
Notes on CVE-2022-41082
If you receive an alert for CVE-2022-41082 make sure to apply the latest Microsoft patch (from November 8th, 2022). It is not enough to implement the previously recommended mitigation. As discovered by Crowdstrike, the mitigation proposed can be bypassed.
We make our assessment based on x_owa_version header.
Exchange Versions Vulnerable to CVE-2022-41080/CVE-2022-41082
2019
15.2.1118.15 - 15.2.1118.7 <-- strict match of all 4 numbers required
15.2.986.30 - 15.2.986.5 <-- strict match of all 4 numbers required
15.2.922.27 - 15.2.196.0 (anything less than or equal to 15.2.922 )
^^^ looser match of the first 3 numbers is required
2016
15.1.2507.13 - 15.1.2507.6 <-- strict match of all 4 numbers required
15.1.2375.32 - 15.1.2375.7 <-- strict match of all 4 numbers required
15.1.2308.27 - 15.1.225.16 (anything less than or equal to 15.1.2308)
^^^ looser match of the first 3 numbers is required
2013
15.0.1497.31 - 15.0.1497.2 <-- strict match of all 4 numbers required
15.0.1473.6 - 15.0.516.32 (anything less than or equal to 15.0.1473)
^^^ looser match of the first 3 numbers is required
Dashboard
You can track vulnerable Exchange scan results on the Shadowserver Dashboard. You can also check for specific CVEs by selecting source “exchange” and the appropriate CVE tags here.
Full Exchange exposure (population scan) can also be found on the Shadowserver Dashboard.
For more information on our Exchange scanning efforts, please read about our previous special reports.
For more information on our scanning efforts, check out our Internet scanning summary page.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
Severity levels are described here.
This report comes in two versions, for IPv4 and IPv6.
Filename(s): scan_exchange, scan6_exchange.