Home > Knowledge > Resources > Client advisory: Microsoft Exchange Server exposed to the internet

Client advisory: Microsoft Exchange Server exposed to the internet

With Microsoft ending support for Exchange Server 2016 and Exchange Server 2019, assets still running these servers are at risk of being vulnerable and exploited.

Cyber Advisory 3 min Wed, Nov 5, 2025

With Exchange Server 2016 and 2019 no longer receiving security updates as of 14 October 2025, we strongly recommend organizations take immediate steps to mitigate the exposure and transition to secure, cloud-hosted alternatives such as Microsoft 365.

Why this matters

Internet-facing Microsoft Exchange servers present a high-value target for threat actors, particularly now that mainstream support has ended for key on-premises versions. While Exchange remains a widely used enterprise email solution, operating it on-premises and exposed to the internet introduces significantly greater security risk compared to cloud-hosted alternatives such as Microsoft 365. Over recent years, on-premises Exchange servers have been repeatedly exploited through both known and previously unknown vulnerabilities, often as part of large-scale campaigns.

Attackers frequently target exposed Exchange servers for the following reasons:

  • High-value entry point: Exchange servers typically handle sensitive communications and credentials data, making them attractive targets for initial access.
  • Known exploitation history: Critical vulnerabilities – such as those exploited in the Hafnium, ProxyShell, and ProxyNotShell campaigns – have been widely weaponized.
  • Administrative exposure: External access to management interfaces, including PowerShell, increases the risk of unauthorized access.
  • Credential theft and lateral movement: A successful compromise can provide access to the Active Directory environment, enabling attackers to move laterally across the network.
  • End of support: With Microsoft ending support for Exchange Server 2016 and 2019 as of 14 October 2025, these versions no longer receive security updates, increasing the attack surface and monitoring requirements for IT teams and security operations.

Maintaining the unsupported, internet-facing Exchange server significantly elevates the risk of compromise.

Recommended actions

To reduce the risk of compromise, we strongly recommend taking the following actions:

  • Consider migration to Microsoft 365, Exchange Online or Exchange Server Subscription Edition to benefit from automatic patching and managed security controls.
  • Restrict public access to administrative and management interfaces such as /owa, /ecp, and /powershell.
  • Enable multi-factor authentication (MFA) for all user and administrative accounts.
  • Review access logs for signs of unusual login activity, mailbox exports or potential data exfiltration.

All CFC cyber policyholders can contact our expert team for advice in our Response app. At CFC, we’ll continue to monitor this threat closely to help businesses stay protected.

Please get in touch via customersupport@cfc.com for support, or report suspicious activity through our Response app.

 

 

You might also like

Client advisory: Cyber criminals targeting Oracle E-Business Suite

Cybercriminal group, CLOP, are actively targeting Oracle E-Business Suite, with credible reports of data theft and extortion.

Cyber Advisory 4 min 2 Oct, 2025

Risk into relevance: Introducing Cyber Threat Review

Every business faces cyber risk. But communicating that risk to clients and showcasing the value of cyber insurance isn’t always easy. Our new Cybe...

Cyber Video 1 min 4 Nov, 2025

Cyber risk heat map

When speaking to clients about cyber insurance, it's important to focus on areas that are relevant to the industry in which they operate.

Cyber Infographic 1 min 20 Feb, 2024