Luxembourg’s financial supervisor CSSF on Friday brought attention to a warning from the grand duchy’s cyber security authorities which said an “alarming situation” has been created because more than 500 computer servers have not yet been updated with a critical software patch for Microsoft Exchange servers.
The update is required in order to prevent hackers from using a backdoor to enter access to the servers. Microsoft issued its latest patch last week.
The financial supervisor said its warning its based on information from the Luxembourg House of Cybersecurity and CIRCL, the Computer Incident Center Luxembourg, which has issued “an important cyber-security alert,” it said.
‘Immediate update required’
A CIRCL report issued on Tuesday noted that some 553 computer servers needed an immediate update. “This is an alarming situation and should be addressed by all responsible people working with Exchange servers,” the center said.
Microsoft’s latest patch addresses several Remote Code Execution vulnerabilities, which can be used to gain unauthorised access to a firm’s computer network. CIRCL said its data from 21 February 2023, one week after Microsoft released its latest patches, shows that 533 services have yet to be updated. The oldest unpatched installations haven’t been patched for 22 months.
CSSF said further details on the vulnerabilities are available in CIRCL’s latest technical report, which can be found at https://www.circl.lu/pub/tr-72/.
Number of servers not updated:
