Germany concerned over outdated versions of Microsoft Exchange Server

Germany’s cybersecurity agency BSI expresses its concerns over tens of thousands of businesses and organizations running an end-of-life version of Microsoft Exchange Server. It urges companies to upgrade to a newer version.

Microsoft Exchange Server is an email and calendaring server that’s mainly used by businesses and organizations to manage email, calendars, contacts, and tasks like meetings. It also offers tools for spam filtering, data loss prevention, and secure communication.

Exchange Servers can be hosted on a company’s own servers (on-premise), meaning personnel have to manage everything themselves. Microsoft also offers customers the option to have their Exchange Servers managed in Microsoft’s 365 cloud (off-premise).

On October 14, 2025, Microsoft terminated its support for Exchange Server 2016 and 2019. Since then, companies and organizations haven’t received any security updates, bug fixes, or patches.

But according to calculations of the Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany’s cybersecurity agency, 92% of the approximately 33,000 on-premise Exchange Servers are currently running with Outlook Web Access version 2019 and older. This poses serious risks to thousands of companies and organizations, including hospitals and doctors’ offices, schools and universities, social services, law and tax offices, municipal utilities, and local governments.

If a critical vulnerability is found in Exchange Server, as has repeatedly been the case in recent years, Microsoft will not release a patch. In that scenario, vulnerable Exchange Servers must be immediately removed from the network to prevent a successful intrusion.

“Due to flat network structures and insufficient segmentation and hardening, the compromise of an Exchange Server often quickly leads to the complete compromise of the entire network of those affected. This can result in the leakage of sensitive information, the encryption of data using ransomware and subsequent ransom demands, as well as weeks of production downtime,” the BSI warns, adding that continuing to operate on outdated Exchange Server versions may constitute a GDPR violation.

The cybersecurity agency therefore recommends that operators of affected Exchange Servers immediately upgrade to Microsoft Exchange Subscription Edition (SE) or migrate to an alternative solution.