9 in 10 Exchange servers in Germany still running out-of-support software
- Reference: 1761724815
- News link: https://www.theregister.co.uk/2025/10/29/germany_exchange_support/
- Source link:
While the end of Windows 10 updates occupied most of the headlines, Microsoft's support for Exchange and a [1]bunch of other 2016 and 2019-branded products ended on October 14, as scheduled [2]a year earlier .
Despite another warning from Microsoft in September, the vast majority of about 33,000 public-facing Exchange servers in Germany known to the BSI are still running Outlook Web Access 2019 or earlier.
[3]
This includes thousands of companies and public sector organizations such as hospitals and doctors' offices, schools and universities, social services, local authorities, and more.
[4]
[5]
In a more detailed [6]security advisory , the BSI politely noted that on several infamous occasions in recent history, some nasty bugs in Exchange Server led to equally nasty consequences for defenders to clean up.
The document, written for the technical teams tasked with the upkeep of these products, states the obvious: If these critical vulnerabilities are discovered again, Microsoft cannot fix them with an update.
[7]
"The affected Exchange servers may then have to be taken offline immediately to prevent compromise. This would severely restrict the communication capabilities of the affected organizations.
"Due to flat network structures and inadequate segmentation and hardening, the compromise of an Exchange server often quickly leads to a complete compromise of the affected organization's entire network, which can result in the leak of sensitive information, the encryption of data by ransomware and subsequent ransom demands, as well as weeks of production downtime."
[8]Microsoft threatens to ram Copilot into Exchange Server on-prem
[9]Exchange Online will start archiving your oldest emails before your inbox bursts
[10]Microsoft, CISA warn yet another Exchange server bug can lead to 'total domain compromise'
[11]China says US spies exploited Microsoft Exchange zero-day to steal military info
Microsoft is offering Exchange Server customers six more months of security updates post-deadline as part of its Extended Update Program (it [12]announced in July ), but after April 14, customers will be left to fend for themselves, and the BSI just wants them to migrate.
The message is either upgrade to the supported Subscription Edition (SE) version or find an alternative solution. And stop exposing Exchange Server directly to the web, the advisory states, by restricting access only to trusted IPs or secure it using a VPN.
If readers need a refresher on what happens when Exchange Server instances aren't patched, take a trip down memory lane with our [13]ProxyShell coverage from 2021, or [14]ProxyNotShell the following year.
[15]
The Reg could also mention the [16]ProxyLogon campaign from China's Salt Typhoon/Hafnium outfit, which is somewhat relevant, although that one involved four chained zero-days, so Exchange customers were screwed regardless, [17]not that anyone seems to care now patches are available. ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2025/09/16/office_2019_2016_support/
[2] https://www.theregister.com/2024/10/16/microsoft_end_of_support_wave_widens/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aQHzyVPaq_zTlTfekcwpjgAAABU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQHzyVPaq_zTlTfekcwpjgAAABU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQHzyVPaq_zTlTfekcwpjgAAABU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2025/2025-287772-1032
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQHzyVPaq_zTlTfekcwpjgAAABU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/10/23/copilot_exchange_server/
[9] https://www.theregister.com/2025/10/08/microsoft_archiving_move/
[10] https://www.theregister.com/2025/08/07/microsoft_cisa_warn_yet_another/
[11] https://www.theregister.com/2025/08/01/china_us_intel_attacks/
[12] https://www.theregister.com/2025/07/17/microsoft_extended_security_exchange_skype_server/
[13] https://www.theregister.com/2021/11/09/sophos_infosec_predictions_2022_linux_targeting/
[14] https://www.theregister.com/2023/08/11/electoral_commission_vulnerability/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQHzyVPaq_zTlTfekcwpjgAAABU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2021/03/12/github_disappears_exploit/
[17] https://www.theregister.com/2025/01/23/proxylogon_flaw_salt_typhoons_open/
[18] https://whitepapers.theregister.com/
Re: How do you get through to business leaders?
On the comments on any article about cloud downtime, costs etc. you’ll have people smugly weighing in saying you’re much better off running your own on-prem. In theory maybe, but this is how it generally works out in practice - can’t even get the basics right. How many of these orgs have knowledgeable admins, HA/DR etc. and aren’t just operating on a wing and a prayer?
Re: How do you get through to business leaders?
That choosing Microsoft is :-
1) NOT the best choice
2) NOT the only choice
3) A way to get shafted (in the best possible way)
MS wants you to abandon 'on premises' for their cloud where they can slurp away to their hearts content. At least with 'on premises' you can firewall them out.
Re: How do you get through to business leaders?
Let’s be honest here - Microsoft is not the issue, it’s the inability of organisations to focus on, staff and fund one of the most basic operational responsibilities, keeping services in support and patching them. This would be a problem whatever technology was used - Microsoft still offer support on-prem software so there’s no excuse. If it’s just too hard for them (e.g. due to internal politics), they should move to cloud and outsource the problem to someone who can reliably do it and build it into a predictable fee.
As the article itself points out, a firewall won’t stop anyone (including far more malicious players than Microsoft, believe it or not) slurping your data if your externally facing email server gets compromised and you have - as seems likely in many of these cases - a flat internal network architecture.
I don’t get the hurry
Just because MS are no longer supporting these versions of exchange, it doesn’t mean they’re suddenly going to become vulnerable
I mean, it’s not like MS have any kind of track record of weekly faults and compromises in any of their products, bodged patches, more faults, more vulnerabilities, and general shonky software quality issues, is it?
How do you get through to business leaders?
I daresay a similar survey of the UK, France, Italy would have similar findings.
You'd have thought that after recent international headline grabbing ITsec fiascos that the topic would be number one on the risk register. The financial and reputational damage done at companies like JLR and M&S ought to be enough, and there's been data breaches and cyber attacks at German companies that are estimated to have cost €300bn a year, and again the same will be true in other European nations. Even the (limited) prospect of personal accountability for business leaders doesn't seem to be galvanising much action.