Many Microsoft Exchange servers not up-to-date

What is an Exchange Server?

Exchange is a Microsoft product that is used as a mail server to receive and send e-mails, often with its own domain (@company.co.uk) as the sender. In addition, an Exchange Server provides the ability to synchronize e-mail, contacts and calendars across devices.

Many companies today use e-mail in the cloud such as Office 365 or Gmail, for example, but despite this trend, there are still many companies that run their own e-mail server. In many cases, Microsoft Exchange Server is used for this purpose.

What is the risk?

When an Exchange Server is not provided with the latest (security) updates in a timely manner or they are no longer released (end-of-life), there is a risk that hackers will abuse existing vulnerabilities.

Among others, the vulnerabilities mentioned (CVE-2020-0688, CVE-2020-16875) are rated as HIGH/HIGH by the NCSC which means that there is a high probability that these vulnerabilities will be exploited and the potential damage could be significant.

In addition to the risk of abuse by hackers, the updates also fix errors (bugs) in the software that can cause the product to stop functioning properly.

Which versions are still supported?

Microsoft Exchange has had several versions since 1996, many of which are no longer supported. Microsoft Exchange 2010 was added recently (Oct. 13, 2020) but is still used by many companies. The same is also true for Microsoft Exchange 2007 which has been unsupported since April 11, 2017.

On Microsoft's website you can find a complete overview Exchange Servers and when support expires or has expired. Below you will find the versions that are still supported and until when.

• Exchange Server 2013: 11- 4 -2023

• Exchange Server 2016: 14-10-2025

• Exchange Server 2019: 14-10-2025

What can I do?

If your company uses a Microsoft Exchange environment, it is important that this is a version that is still supported and has the latest (security) updates. If you are not sure if Microsoft Exchange is used within your company or what version it is, contact your IT service provider.

You can go through or discuss the following steps with your IT service provider.

• Provide the Exchange Server(s) within your company with the latest (security) updates. Pay extra attention to "Cumulative Updates". (See the heading additional information on this page)

• Establish a process to periodically check that the Exchange Server(s) within your organization is equipped with the latest (security) updates to ensure timely protection for future vulnerabilities as well.

• Check whether the version of Exchange is still supported by Microsoft (see the overview in this post). If it is not or the end date is approaching, consider the following.

• • Exchange Servers cannot be "upgraded" to a newer version. So a migration will always be necessary. For this, it is recommended to migrate to the latest available version. Currently, that is Exchange Server 2019.

  • Consider migrating to the Cloud. In Microsoft's case, this involves the Office 365 mail environment. Read about the ways to migrate to Office 365 on Microsoft's Web site.

• Check whether the version of Exchange is still supported by Microsoft (see the overview in this post). If it is not or the end date is approaching, consider the following.

Additional information on "Cumulative Update"

Caution! Please know that security updates for Microsoft Exchange are only available for servers that have a particular version of the so-called "Cumulative Update" installed. A "Cumulative Update" is released by Microsoft every 3 to 4 months for each Exchange Server version. For Exchange Server 2013, 2016 and 2019, a "Cumulative Update" must be installed manually. So you can't just lean on automatic updates. Microsoft provides more information on this page about the available "Cumulative Updates" and how to check which one is installed.