Exchange server vulnerability summary

Updated: 3/11/2021 – referece to surgical restore process

There’s been a lively discussion with “breaking news” about the extent of the intrusion into networks and the solution to it over on our Ransomware and Security group. Now that it seems to have reached a stable information point, I thought I would summarize what you need to know.

  • Exchange 2013 – newer. You are probably hacked. Nearly everyone is.
  • Exchange 2010 – older. Probably not hacked.

This is because UTM features were the intrusion vector and 2010 didn’t have the technology yet.

  • Apply patches to Exchange 2013 – newer. There are three of them.
  • Apply patches to Exchange 2010. There is one of them.

Take note of how serious Microsoft recognizes this to be that they are issuing patches for long out of support versions of Exchange.

Applying patches only protects servers that haven’t already been hacked

It is very likely that your server has been hacked already. Find out by following the articles below.

The code runs as System

This means that there is potential that everything system can reach is now vulnerable. System can reach everything – so everything. The question has arisen that if you only find a single .js script from the hack do you need to isolate and reload? And the answer is yes.

Scan to determine if the intrusion has been activated on your network

Scan with this tool.

Check against a known compromised list of IP’s and domain names. Note that there are two tests one in which you browse from a device on your public IP and the other in which you enter your domain name.

File with the FBI

Help us respond to victims and hold those responsible accountable.


At very least perform an exchange migration to a new exchange server and change passwords throughout the domain. Don’t forget those local passwords on PC’s. Then, if the scan came back positive, consider the implications of intruded code with System level access to the rest of your network. You may need to rebuild everything.

Our own Dave Shackelford suggests a surgical restore process in this blog for single server deployments of Exchange

All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Kits, papers, MSP training and more.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

One thought on “Exchange server vulnerability summary”