Vulnerable Exchange Server Report

LAST UPDATED: 2023-02-23

This report contains a list of vulnerable Microsoft Exchange servers found through our daily IPv4 full Internet scans and IPv6 hitlist based scans.

As of 2023-02-15 this scan contains information on services with the following remote code execution vulnerabilities:

Notes on CVE-2021-26855 

The CVE-2021-26855 vulnerability assessment is made based on Microsoft’s http-vuln-cve2021-26855.nse nmap detection script.

Other vulnerability assessments are made on the version observed.

This report comes in two versions, for IPv4 and IPv6.

Notes on CVE-2022-41082

If you receive an alert for CVE-2022-41082 make sure to apply the latest Microsoft patch (from November 8th, 2022). It is not enough to implement the previously recommended mitigation. As discovered by Crowdstrike, the mitigation proposed can be bypassed.

We make our assessment based on x_owa_version header.

Exchange Versions Vulnerable to CVE-2022-41080/CVE-2022-41082

2019
15.2.1118.15 - 15.2.1118.7 <-- strict match of all 4 numbers required
15.2.986.30 - 15.2.986.5 <-- strict match of all 4 numbers required
15.2.922.27 - 15.2.196.0 (anything less than or equal to 15.2.922 ) 
^^^ looser match of the first 3 numbers is required

2016
15.1.2507.13 - 15.1.2507.6 <-- strict match of all 4 numbers required
15.1.2375.32 - 15.1.2375.7 <-- strict match of all 4 numbers required
15.1.2308.27 - 15.1.225.16 (anything less than or equal to 15.1.2308) 
^^^ looser match of the first 3 numbers is required

2013
15.0.1497.31 - 15.0.1497.2 <-- strict match of all 4 numbers required
15.0.1473.6 - 15.0.516.32 (anything less than or equal to 15.0.1473)
^^^ looser match of the first 3 numbers is required

Dashboard

You can track vulnerable Exchange scan results on the Shadowserver Dashboard. You can also check for specific CVEs by selecting source “exchange” and the appropriate CVE tags here.

Full Exchange exposure (population scan) can also be found on the Shadowserver Dashboard.

For more information on our Exchange scanning efforts, please read about our previous special reports.

For more information on our scanning efforts, check out our Internet scanning summary page.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Filename(s): scan_exchange, scan6_exchange.

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • ip
    IP of the affected device
  • port
    Port response was received from
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • tag
    Array of tags. This would be exchange;cve-2021-26855
  • asn
    AS of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • sector
    Sector of the IP in question
  • version
    Exchange version detected
  • servername
    Exchange server name

Sample

"timestamp","ip","port","hostname","tag","asn","geo","region","city","naics","sic","sector","version","servername","url"
"2021-05-14 00:11:30","12.237.x,x",443,"afs-exch-cas2.xxx.com","exchange;cve-2021-26855",7018,"US","CALIFORNIA","TURLOCK",517311,,"Communications, Service Provider, and Hosting Service","15.2.721","AFS-EXCH2019",
"2021-05-14 00:11:37","98.153.x.x",443,"rrcs-98-153-x-x.west.biz.rr.com","exchange;cve-2021-26855",20001,"US","CALIFORNIA","LOS ANGELES",517311,,"Communications, Service Provider, and Hosting Service","15.0.847","SSAMAIL",
"2021-05-14 00:11:38","206.210.x.x",443,"webmail.xxx.com","exchange;cve-2021-26855",17054,"US","PENNSYLVANIA","PITTSBURGH",518210,,,"15.0.1178","OMNYXEXCH02",
"2021-05-14 00:11:38","12.33.x.x",443,"mail.xxx.org","exchange;cve-2021-26855",7018,"US","ARKANSAS","LITTLE ROCK",921120,,"Communications, Service Provider, and Hosting Service","15.1.2176","MHASVR02",
"2021-05-14 00:11:38","41.204.x.x",443,"mail.xxx.mg","exchange;cve-2021-26855",21042,"MG","ANTANANARIVO","ANTANANARIVO",,,,,"SABMHQE0232",
"2021-05-14 00:11:38","62.33.x.x",443,,"exchange;cve-2021-26855",20485,"RU","ALTAYSKIY KRAY","BARNAUL",,,,"15.2.659","PV-SRV04",
"2021-05-14 00:11:43","199.33.x.x",443,"mail.xxx.tv","exchange;cve-2021-26855",26481,"US","CALIFORNIA","LOS ANGELES",,,,"15.1.1779","MAIL",

Our 118 Report Types

« Back to Network Reporting