92% of German organizations failed to take action despite Microsoft’s continuous reminders to end support for Exchange Server 2016/2019. Now, over 30,000 organizations in the country face the serious risk of cyberattacks and data breaches.
Recent warnings from Germany’s Federal Office for Information Security (BSI) have brought to light an alarming security crisis in the making that has the potential to destabilize the nation’s entire IT infrastructure. After Microsoft officially ended free extended support and security updates for Exchange Server versions 2016 and 2019, BSI found that nearly 92% of publicly-accessible 33,000 Exchange Servers have been left vulnerable to cyberattacks.
Despite Microsoft sending continuous reminders about ending support for Exchange Server versions using perpetual licenses, only 2500 Exchange Servers were found to be running on the currently supported Exchange Server SE. German BSI’s analysis paints a picture of non-compliance and general disregard for Microsoft’s persistent reminders that started as early as January 2025.
Organizations on the Brink of an Impending Disaster
Most of the unsupported Exchange Servers were found in universities, schools, doctors’ clinics, hospitals, law firms, and municipality offices. All these institutions keep critical data of German citizens, which can become compromised if hackers plan to exploit vulnerabilities in unpatched Exchange Servers.
As many organizations with unsupported Exchange Servers have flat network structures lacking segmentation and hardening, hackers can quickly take over their entire network once Exchange Server is hacked. They can steal sensitive data and deploy ransomware and backdoors, which can cause production outages that can last several weeks.
BSI has warned that any critical vulnerability in Microsoft Exchange cannot be immediately remedied, and the impacted Exchange Server would then have to be taken offline to avoid data compromise. It has also touched upon the various hack attacks that took place in the past and strongly urged organizations to upgrade from unsupported Exchange versions to Exchange SE or migrate to the cloud by choosing Microsoft’s Exchange Online, i.e., Microsoft 365.
Limited Extension Period: A Possible Fix or Delaying the Disaster
Although Microsoft has tried to mitigate the issue by offering an Extended Security Update (ESU) program, the German BSI does not see it as a solution to this problem. Microsoft’s plan to offer critical security patches for an additional six months till April 14, 2026, comes with a financial overhead, which may not be received well by many German organizations on unsupported Exchange Servers. Many companies are planning to migrate their mailboxes to open-source alternatives like Thunderbird and Open-Xchange to keep their expense in check and still use the email service. However, for the time being, there is no surety that all of them will be able to migrate to secure platforms or upgrade to Exchange Server SE before the time runs out or a vulnerability is found.
The Road Ahead
The BSI is advising companies to follow cybersecurity hygiene best practices, such as not exposing Exchange Server components like Outlook Web Access directly to the internet without robust security controls. BSI also recommends restricted access via VPN or a trusted IP whitelist to reduce the surface attack area. But primarily, they want organizations to either immediately upgrade to Exchange Server SE or migrate to alternative messaging solutions like Microsoft 365. If you are looking to migrate from an unsupported Exchange version to Exchange SE or Microsoft 365 quickly and efficiently, you can use migration tools such as Stellar Migrator for Exchange. This tool ensures secure mailbox migration with 100% precision and zero downtime, which is the need of the hour at this very moment. You can even use this tool to transfer mailboxes from third-party hosted Exchange services to the Microsoft 365 cloud. It is simple to use and has an intuitive interface that makes migration convenient even for organizations that do not have IT admins with extensive expertise in Exchange migration.
