US racing to address Microsoft vulnerabilities, especially for small businesses

Microsoft's new tool seems to be helping.
NEW YORK, NEW YORK: People walk around a Microsoft store on March 10, 2021. (Photo by John Smith/VIEWpress)

The number of entities in the U.S. that remain vulnerable to the recently announced Microsoft Exchange Server software flaws is dropping, according to a National Security Council spokesperson.

Overall, the number of vulnerable systems fell 45% last week, the National Security Council (NSC) spokesperson said in a statement, and there are now fewer than 10,000 vulnerable systems in the U.S., compared to the more than 120,000 entities that were vulnerable when the software bugs were first uncovered.

The key to that apparent decrease is the fact that entities are taking advantage of a new tool Microsoft released to the public last week in an attempt to protect protect smaller organizations against hackers seeking to exploit the Exchange Server flaws, according to the NSC spokesperson. Microsoft developed the tool, the Exchange On-Premises Mitigation tool — which works in an automated way, scanning for compromises and remediating issues — in coordination with Anne Neuberger, the deputy national security adviser for cyber and emerging technology, the NSC spokesperson said.

Overall, the tool has been downloaded 25,000 times since it was released, according to the NSC.


Microsoft developed the tool specifically to help smaller businesses that lack a security or IT team to help guide them through the process of fending off hacks stemming from the vulnerabilities.

Security researchers have been working against the clock to prepare vulnerable organizations for hackers seeking to take advantage of the flaws, with many particularly concerned that small- and medium-sized businesses wouldn’t be up to the challenge. Some researchers took matters into their own hands and made a website intended to help alert organizations if they’ve been comprised as a result of the Microsoft Exchange Server software bugs, and to help those organizations that didn’t know where to start.

The revelation that the number of vulnerable organizations is dropping will be welcome news to the security community. So far, hackers from around the world have been exploiting the flaws since the company announced the zero-day vulnerabilities earlier this month. Hackers suspected of having ties to the Chinese government have been working to leverage the flaws and establish long-term data collection capabilities against vulnerable organizations, according to security researchers, while hackers from around the world have begun launching cryptominers and a strain of ransomware known as DearCry.

The news that vulnerable organizations are increasingly paying attention and patching with Microsoft’s latest tool is the latest indication that the private sector will be key to responding to the flaws moving forward. In a recognition the private sector will be central to any response, the White House invited some private sector entities to participate in its emergency cyber incident response group, which it stood up to address the Microsoft flaws.

It is the first time the White House has ever formally invited members of the private sector to participate in a so-called  Unified Coordination Group, according to the NSC.


“Cyber is a key priority of the Biden Administration,” the NSC spokesperson said in a statement. “The Administration’s approach to cyber security is to work closely with the private sector, and  we’re well aware that small businesses often bear the brunt of the cost of cyber incidents so we are focused on coming up with creative ways to help them.”

The White House said vulnerable organizations should not just rely on the new Microsoft tool moving forward, warning that vulnerable entities should also be updating their servers.

“We continue to strongly encourage everyone, including those that run this tool, to also update their Exchange Server for more complete protection,” the NSC official said.

Correction, 3/22/2021: The story has been corrected to reflect the fact that the number of vulnerable systems systems fell 45% last week. The original story incorrectly stated that 45% of vulnerable systems had been patched.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts