9 in 10 Exchange servers in Germany still running out-of-support software

Steven

9 in 10 Exchange servers in Germany still running out-of-support software

Summary

Germany’s cybersecurity agency BSI has found that about 92% of the nation’s public-facing Exchange servers — roughly 33,000 systems — are still running unsupported Exchange versions (2019 or earlier) after Microsoft ended support on 14 October 2025. The affected estate includes private companies and public-sector bodies such as hospitals, doctors’ surgeries, schools, universities, social services and local authorities.

The BSI advisory warns that unpatched Exchange servers have historically led to severe breaches (see ProxyShell, ProxyNotShell and ProxyLogon incidents). Without vendor patches, newly discovered critical vulnerabilities could force organisations to take servers offline to prevent compromise, potentially causing data leaks, ransomware, widespread network takeover and prolonged service outages.

Microsoft is offering six months of extended security updates via its Extended Update Program (announced in July), but those protections end after 14 April. The BSI urges organisations to migrate to supported editions (Subscription Edition) or move to alternative solutions, and to stop exposing Exchange directly to the web by restricting access to trusted IPs or using VPNs.

Key Points

  • BSI reports ~92% of Germany’s public-facing Exchange servers run out-of-support software (Exchange 2019 or older).
  • Approximately 33,000 public-facing Exchange instances are affected, including critical public-sector services.
  • Unsupported Exchange will receive no security fixes — new critical bugs could force immediate takedowns to avoid compromise.
  • Past Exchange zero-days (ProxyShell, ProxyNotShell, ProxyLogon) show the real-world impact: data theft, ransomware and full network compromise.
  • Microsoft provides a six-month Extended Update Program until 14 April; after that, organisations must migrate to Subscription Edition or alternatives.
  • BSI recommendations: migrate or upgrade, improve segmentation and hardening, and stop exposing Exchange to the internet (use IP restrictions or VPNs).

Why should I read this

Look — if your organisation runs Exchange or you rely on services run by German partners, this is urgent. Nine out of ten public-facing boxes are effectively ticking time bombs: no vendor patches, high-impact historical exploits, and real risk of ransomware or data leaks. The BSI bluntly says migration or serious hardening is the only sensible move. Read this so you know whether you need to act now or face painful downtime later.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/10/29/germany_exchange_support/