Thousands of Exchange Servers in Germany Still Running with Out-of-Support Versions

Microsoft Exchange servers in Germany are still running without security updates, just weeks after the official end of support for key versions.

The Federal Office for Information Security (BSI) issued a stark warning on October 28, 2025, revealing that 92% of approximately 33,000 known on-premise Exchange servers with internet-exposed Outlook Web Access (OWA) are running version 2019 or older.

This vulnerability leaves critical infrastructure across sectors such as healthcare, education, and public administration at heightened risk of cyberattacks.

The BSI’s analysis reveals a troubling picture of widespread non-compliance with end-of-support deadlines.

Support for Exchange Server 2016 and 2019 officially ended on October 14, 2025, meaning Microsoft will no longer provide patches for bugs or security flaws.

Of the monitored servers, over 45% run version 2019 and about 40% use 2016, with only a fraction, around 2,500, upgraded to the supported Exchange Server Subscription Edition (SE).

These outdated systems are predominantly found in hospitals, doctors’ offices, schools, universities, social services, law firms, utilities, and municipal governments, amplifying the potential for widespread disruption.

The BSI’s CERT-Bund team has long notified operators about older versions like 2010 and 2013, and now extends alerts to 2016 and 2019 instances exposed online.

Looming Risks Of Unpatched Systems

The implications are severe, as any new critical vulnerability similar to past exploits like ProxyLogon or Hafnium cannot be remediated, potentially forcing servers offline and crippling email communications.

Compromised Exchange servers often lead to full network breaches due to flat architectures and poor segmentation, enabling data exfiltration, ransomware deployment, and prolonged outages.

Historical incidents underscore this danger; in 2021, thousands of global Exchange servers, including over 20,000 in Germany, fell victim to state-sponsored hacks exploiting unpatched flaws.

Moreover, processing personal data on these servers violates the General Data Protection Regulation (GDPR), exposing organizations to legal penalties.

To avert disaster, the BSI urges immediate upgrades to Exchange Server SE or migration to cloud alternatives like Exchange Online.

Microsoft’s Extended Security Updates (ESU) program offers paid patches for critical issues until April 14, 2026, but this merely delays the inevitable at additional cost.

Beyond upgrades, the agency recommends restricting OWA access via IP whitelisting or VPNs, avoiding direct internet exposure, and consulting BSI’s IT-Grundschutz guidelines for email security.

With attackers constantly probing for weaknesses, German organizations must prioritize these steps to safeguard operations and data integrity in an increasingly hostile digital environment.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.