Thousands of German Exchange Servers at Risk Due to Outdated Software
In a recent alert issued on October 28, 2025, Germany’s Federal Office for Information Security (BSI) highlighted a critical cybersecurity concern: approximately 92% of the nation’s 33,000 on-premise Microsoft Exchange servers with internet-exposed Outlook Web Access (OWA) are operating on versions 2019 or older. This situation arises just weeks after Microsoft’s official end of support for these versions on October 14, 2025, leaving these systems without essential security updates.
Widespread Vulnerability Across Critical Sectors
The BSI’s analysis reveals that over 45% of these servers are running Exchange Server 2019, while about 40% are on the 2016 version. Alarmingly, only around 2,500 servers have been upgraded to the supported Exchange Server Subscription Edition (SE). These outdated systems are prevalent in critical sectors, including healthcare, education, public administration, social services, law firms, utilities, and municipal governments. The continued use of unsupported software in these areas significantly heightens the risk of cyberattacks, potentially leading to data breaches, service disruptions, and compromised sensitive information.
Historical Context and Previous Incidents
The dangers of operating unpatched Exchange servers are well-documented. In 2021, state-sponsored hackers exploited unpatched vulnerabilities in Exchange servers, affecting thousands globally, including over 20,000 in Germany. These attacks led to widespread data breaches and operational disruptions. The current scenario mirrors these past incidents, underscoring the critical need for timely software updates and proactive cybersecurity measures.
Legal Implications and Compliance Issues
Beyond the immediate technical risks, organizations processing personal data on these outdated servers may be in violation of the General Data Protection Regulation (GDPR). Non-compliance with GDPR can result in substantial legal penalties, further emphasizing the necessity for organizations to maintain up-to-date and secure systems.
Recommended Actions for Organizations
To mitigate these risks, the BSI strongly recommends that organizations:
– Upgrade Systems: Transition to the Exchange Server Subscription Edition (SE) or migrate to cloud-based alternatives like Exchange Online.
– Implement Extended Security Updates (ESU): For organizations unable to upgrade immediately, Microsoft offers an ESU program providing paid patches for critical issues until April 14, 2026. However, this should be viewed as a temporary solution, as it incurs additional costs and does not address the underlying issue of outdated software.
– Restrict OWA Access: Limit access to Outlook Web Access through IP whitelisting or Virtual Private Networks (VPNs) to reduce exposure to potential attacks.
– Consult Security Guidelines: Refer to the BSI’s IT-Grundschutz guidelines for comprehensive email security practices and implement recommended measures to enhance system security.
The Urgency of Proactive Cybersecurity Measures
With cyber attackers continually scanning for vulnerabilities, it is imperative for German organizations to prioritize these actions. Proactive measures are essential to safeguard operations, protect sensitive data, and maintain the trust of clients and stakeholders in an increasingly hostile digital environment.
