One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers

One of the critical security flaws exploited by China's Salt Typhoon to breach US telecom and government networks has had a patch available for nearly four years - yet despite repeated warnings from law enforcement and private-sector security firms, nearly all public-facing Microsoft Exchange Server instances with this vulnerability remain unpatched.

According to cyber-risk management firm Tenable, 91 percent of the nearly 30,000 openly reachable instances of Exchange vulnerable to CVE-2021-26855, aka ProxyLogon, have not been updated to close the hole.

Microsoft disclosed this vulnerability in March 2021, and warned it was being exploited with a chain of other bugs by Chinese government snoops to achieve remote code execution on targets' Exchange Servers. Later that year, the Five Eyes nations called ProxyLogon one of the top exploited vulnerabilities of 2021.

For comparison: Tenable's team also analyzed over 20,000 devices suffering two Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887) also ...