Germany Says 92% of Public Exchange Servers Run Unsupported Software

Germany’s national cybersecurity agency has warned that an overwhelming majority of the country’s publicly reachable Exchange servers remain on unsupported software just after Microsoft ended mainstream updates for Exchange Server 2016 and 2019 — a finding that raises immediate operational, regulatory, and security red flags for organisations across healthcare, education, public administration, and the private sector.

Background​

What changed: end of support and a limited safety valve​

Microsoft officially ended mainstream support for Exchange Server 2016 and Exchange Server 2019 on October 14, 2025. In response to migration delays among customers, Microsoft announced a one‑time, fee‑based Extended Security Update (ESU) program that offers six months of critical and important security updates only — through April 14, 2026. The ESU is explicitly not a lifecycle extension: it’s a short, paid, controlled distribution of security fixes to enrolled customers.
At the same time Microsoft released the new Exchange Server Subscription Edition (SE), moving on‑premises Exchange to a subscription, evergreen model intended to remove fixed lifecycle deadlines in future. Exchange SE is the supported on‑premises path forward; remaining on legacy versions after the ESU window will leave servers permanently without vendor patch support.

The BSI’s headline finding​

Germany’s Federal Office for Information Security (BSI), through its CERT‑Bund team, has reported that roughly 92% of the nation’s ~33,000 publicly reachable Exchange servers are still running Exchange 2019 or older — in other words, out of support or exposed on old code paths. That population includes many municipal and mission‑critical organisations such as hospitals, clinics, schools, universities, social services, law and tax firms, local authorities and utilities. The BSI explicitly warned that a new critical Exchange vulnerability could not be patched on these systems, potentially forcing immediate service shutdowns to prevent compromise.

---

Why this matters: threat and impact anatomy​

Exchange is a high‑value target​

On‑premises Exchange servers expose a public‑facing web tier (OWA/Outlook Web Access and related CAS endpoints) that historically has been the vector for high‑impact exploits: ProxyLogon (CVE‑2021‑26855), ProxyShell (a chain of CVE‑2021‑34473 / CVE‑2021‑34523 / CVE‑2021‑31207), and later ProxyNotShell (CVE‑2022‑41040 / CVE‑2022‑41082) have all been abused in widespread campaigns to install web shells, steal mailboxes, and pivot to on‑premises Active Directory. Those breaches led to ransomware incidents, long investigations, and severe operational disruption. Unpatched Exchange = immediate, well‑proven risk.

Cascade effects inside networks​

Exchange servers typically integrate deeply with Active Directory, MAPI, transport stacks and hybrid connectors. Network architectures that are flat, inadequately segmented, or that expose Exchange directly to the internet accelerate lateral movement if an Exchange host is compromised. The BSI explicitly warns that compromise of an Exchange server often leads to domain‑wide takeover, data exfiltration, ransomware encryption, and weeks of production downtime — consequences that hit hardest where the affected firms provide essential services.

Regulatory, reputational and business continuity exposure​

Beyond technical risk, running unsupported server software in regulated sectors can trigger compliance issues under data protection laws (for example, GDPR obligations to implement appropriate security measures). A breach caused by avoidable risks — like ignoring a software end‑of‑support deadline — magnifies potential regulatory and litigation exposure, not to mention reputational damage and direct financial loss from downtime and remediation. The presence of hospitals and municipal services in the affected population multiplies the societal impact.

---

Why so many organisations haven’t migrated: practical realities​

It’s tempting to characterise the problem as simple negligence; the truth is messier. There are multiple, legitimate technical and organisational reasons that slow or block an Exchange migration:

• Legacy integrations: Many on‑premises applications and appliances (line‑of‑business systems, MDMs, archival tools, third‑party connectors) depend on specific Exchange APIs or CU levels.
• Hybrid topologies: Organisations running hybrid Exchange/Exchange Online configurations must plan and validate coexistence and mailbox migrations carefully. Some Exchange 2016/2019 CU levels complicate coexistence, requiring pre‑migration steps.
• Resource and timing constraints: Large organisations or public bodies often lack the staff and change windows to perform complex migrations quickly, particularly outside of controlled maintenance windows.
• Procurement and licensing friction: Moving to Exchange SE (a subscription) or to Exchange Online requires budget approvals and licensing changes that do not happen overnight.
• Testing and compliance cycles: In highly regulated sectors the change control process and acceptance testing can add weeks or months to any migration project.

These realities make the Microsoft ESU offering both understandable and problematic: it buys time for complex workflows, but it also creates a temptation to defer necessary modernization.

---

What the BSI and Microsoft recommend — and how practical those measures are​

BSI’s core advice​

The BSI’s advisory is blunt: migrate to supported software (Exchange SE or a different solution), reduce direct internet exposure for Exchange services, and harden and segment networks to contain a potential breach. Where removal from the internet is impractical, the BSI recommends restricting access to trusted IP addresses, placing Exchange behind secure VPNs or reverse proxies, and generally avoiding running unsupported versions.

Microsoft’s position​

Microsoft’s message is: upgrade to Exchange Server Subscription Edition or migrate to a supported environment (e.g., Exchange Online). For organisations that cannot finish migration by October 14, 2025, Microsoft offers the paid six‑month ESU until April 14, 2026 — a short, controlled safety net while migrations complete. Microsoft explicitly states the ESU is not a lifecycle extension and that ESU patches may not be issued unless critical vulnerabilities are discovered.

---

Practical mitigation checklist for administrators​

Immediate steps that technical teams can implement to reduce exposure — whether upgrading is immediately possible or not:

• Inventory and risk triage
• Identify every Exchange instance, its exact CU/build, and whether OWA/CAS are internet‑reachable.
• Prioritise by business criticality and exposure (publicly reachable services first).
• Apply available updates now
• If still on a supported CU for Exchange 2016/2019, apply the latest cumulative and security updates immediately.
• Enrol for ESU only as a last‑resort contingency, not as a long‑term strategy.
• Reduce direct exposure
• Remove direct OWA/CAS exposure where possible: terminate the public endpoint, use a reverse proxy or secure VPN access, or restrict ingress to trusted IP ranges and service endpoints.
• Deploy Web Application Firewalls (WAFs) and URL rewrite mitigations for known exploit paths (Autodiscover etc.) until full migration completes.
• Harden and segment
• Isolate Exchange servers into a hardened subnet with strict firewall rules.
• Limit administrative access using jump hosts, MFA, and just‑in‑time privileges.
• Hunt and remediate
• Scan for web shells, unusual IIS/w3wp activity, suspicious scheduled tasks and persistence mechanisms; if compromise is suspected, take the server offline and perform full incident response.
• Preserve logs and perform forensic capture before rebooting or patching in a suspected breach.
• Prepare business continuity
• Implement email continuity plans (MX redirection to alternate MTAs or cloud providers) so mailbox service can continue if an on‑prem server must be isolated.
• Ensure backups are tested, immutable where possible, and that restore procedures are rehearsed.
• Plan migration
• Determine the migration path: in‑place CU upgrade to SE, fresh Exchange SE deployment and mailbox migration, or move to Exchange Online (and retire Exchange on‑prem).
• Validate third‑party products and integrations against Exchange SE compatibility lists before cutover.

---

Tactical options and tradeoffs​

Buy ESU (short window, known cost)​

Pros:

• Buys time for planning and migration without immediate security outages.
• Ensures critical SUs are available if Microsoft discovers an issue.

Cons:

• Paid, manual enrolment and likely premium pricing.
• Patches are distributed only to enrolled customers and may not be issued if Microsoft determines none are needed.
• Not a long‑term fix — ESU ends April 14, 2026.

Migrate on‑premises to Exchange SE​

Pros:

• Maintains on‑premises email with Microsoft support under an evergreen lifecycle.
• Removes the cliff of fixed EoL on 2016/2019.

Cons:

• Migration effort can be sizeable: coexistence constraints, new licensing, testing, and potential infrastructure changes (e.g., newer Windows Server support, Server Core best practices).
• Costs and time to complete for large estates.

Move to Exchange Online (cloud)​

Pros:

• Microsoft manages patching and mitigations; reduces attack surface for customer‑operated Exchange.
• Simplifies long‑term lifecycle and security posture.

Cons:

• Compliance, sovereignty, and integration concerns for regulated entities.
• Migration complexities (large mailboxes, archives, third‑party connectors) and potential cost changes.

Replace with third‑party hosted mail​

Pros:

• Offers a managed alternative if cloud or on‑prem migration is impractical.
• Can be faster than a full on‑prem modernization project.

Cons:

• Vendor lock‑in, migration effort, SLA and data handling due diligence required.

---

Hard truths and risks ahead​

• Time is finite: the ESU window is six months and Microsoft has stated it will not be extended. Organisations that rely on this lifeline as a multi‑year strategy will be exposed when the ESU ends.
• Attackers will keep targeting Exchange: historical campaign artifacts show that adversaries repeatedly exploit Exchange vectors to establish persistence and move laterally. Any widely present, unpatched population is lucrative, predictable bait.
• Public sector and critical services are especially vulnerable: hospitals and municipal systems have little tolerance for outages, and their compromise can threaten lives and services. The presence of these organisations in the BSI dataset increases urgency.
• Compliance and liability exposure will rise: regulators expect reasonable security measures; continued operation on unsupported software is a demonstrable gap that could be cited in enforcement or litigation after an incident.

---

A realistic migration playbook (technical sequence)​

• Immediate (days)
• Take an accurate inventory of all Exchange instances and public exposure.
• Apply any final available security updates for supported CUs.
• If internet‑exposed, harden ingress (WAF, IP restrictions, VPN), enable MFA for admin accounts, and block legacy protocols where feasible.
• Short term (weeks)
• Run internal threat hunting for web shells and unusual activity (IIS logs, w3wp.exe anomalies).
• Implement strict segmentation between Exchange/AD and the rest of the network.
• Decide on ESU purchase only after risk assessment and procurement approval.
• Medium term (1–3 months)
• Execute a pilot migration to Exchange SE or Exchange Online, covering mail flow, archival, legal hold, and third‑party integrations.
• Validate backup/restore and business continuity procedures.
• Harden and automate patching for server build images and management workstations.
• Longer term (3–12 months)
• Complete migration across the estate and decommission legacy servers safely.
• Reassess security posture, run tabletop incident response exercises, and update SOC playbooks for mail‑centric incidents.

---

What vendors, regulators and boards should be watching​

• Boards and CIOs: insist on an accurate, time‑stamped inventory and remediation plan with measurable milestones. The ESU window is a hard deadline and must be treated as such.
• Procurement and legal: prepare for potential ESU purchase negotiations if migration cannot be completed in time, and assess contractual and regulatory impacts.
• SOCs and IR teams: update detection and response playbooks for Exchange-specific indicators (web shells, Autodiscover abuse, suspicious power shell or wmi activity).
• Managed Service Providers: prepare migration offerings that account for compliance, data residency, and legacy integrations.

---

Conclusion​

Germany’s BSI has issued an urgent and unambiguous warning: tens of thousands of internet‑reachable Exchange servers are running on software that will no longer receive vendor security updates. The clock is ticking — Microsoft’s six‑month ESU runs only until April 14, 2026 — and the consequences of inaction range from targeted mailbox compromise and ransomware to full domain takeover and regulatory fallout. Organisations must treat this as an operational emergency: inventory, mitigate exposure now, and execute a firm migration or containment plan. Buying the ESU may be a pragmatic short‑term bridge for some, but it is not a substitute for timely modernization, robust network segmentation, and a verified incident response capability. The cost of delay is not only technical; it can be regulatory, financial, and societal — especially when healthcare, education and local authorities are on the line.

---

Source: theregister.com 9 in 10 Exchange servers in Germany are out of support