External Threat Management

Microsoft Exchange is a Global Vulnerability. Patching Efforts Reveal Regional Inconsistencies 

The Microsoft Exchange vulnerability was a global-scale security issue that affected thousands of organizations across the world. With the prevalence of Microsoft Exchange servers across the global attack surface, the sheer size of this incident goes well beyond security. In reality, this is a big data problem. 

RiskIQ has continuously collected internet data for more than a decade to put the vulnerability's scope into context so our customers can respond rapidly. However, in the process, we noticed that not all countries are patching this critical vulnerability effectively. 

The results of scans from our global sensors show that despite this being a ubiquitous issue, each country has reacted very differently, with patching success varying wildly across borders and continents.

How did different organizations and hosting providers fare in different regions around the world? We looked at our data to break it down:

Global view of the exchange vulnerability

Initial patching efforts caused vulnerable servers to plummet, but it's since plateaued

Continent by Continent Day Zero


The largest seven countries in Africa by deployed servers had somewhat different successes in the percentage of patched Exchange servers. South Africa leads the way with more than 75% fixed, with Tanzania and Egypt not far behind with 66% and 65% patched, respectively. However, after that, there’s a steep dropoff. Nigeria is at 56%, Ethiopia at 46%, and the Democratic Republic of the Congo at a concerning 27% patched.


Looking at the seven largest populations across Asia, we saw somewhat similar successes in patching, with Japan the notable exception at under 14%, which appears to indicate a  lack of attention to the task of repairing and patching servers at hand.

Among the deployed server count of smaller Asian countries, Armenia was near the top at about 70% fixed, and at the bottom, below 35%, were Sri Lanka and Cambodia. 


Most European countries with an extensive Exchange install base hovered above 70% patched, with Russia the notable laggard. The next group of European countries saw Slovenia having the highest percentage of patched Exchange servers at 89%. Rounding out the smaller countries (number of servers, not population) had Lichtenstein at nearly 100%.

Europe, though showing a vast improvement, still has pockets of countries with unpatched servers. While most European countries are ahead of the curve, nations such as Serbia, Albania, Macedonia, and other Balkan nations have relatively low patching rates for Europe. 


Australia and New Zealand both reached the mid-70% level. However, there was inconsistency among the island nations that make up the rest of the region. For example, Tonga is at 33%, The Republic of Fiji is at 73%, and Samoa at 62%.

North America

In a battle of the three large markets in North America, Canada came out on top with a higher percentage of patched servers than the USA or Mexico. In the rest of North America, a few of the Caribbean islands patched all their servers. However, many sit below 50%, including Barbados.

South America

Peru and Colombia lagged behind the other larger South American countries in patching the Exchange exploit. The rest of Latin America had smaller installations and various success rates. However, they were generally too small to yield any specific insights. 

Initial patching efforts caused a drastic decline in vulnerable servers, but patching has since plateaued.

Lessons Learned

Getting your enterprise and downstream customers to patch is an arduous task. We found that while some countries have been slow to respond, others have been far more diligent. However, addressing issues of global vulnerabilities like Exchange all starts with visibility. 

RiskIQ offers several ways to gain insight into information like this via our new integration with Elastiflow

Elastiflow: Help Us Make Traffic Safer

RiskIQ has created a platform for ASNs to share their anonymized network flow data in exchange for instant, real-time security intelligence about their network and the entire internet. 

How does it work? 

RiskIQ stores Netflow data in a secure central repository. Through our tools and analytics, you can enrich your network with actionable insights into the threats and malicious activities occurring across the internet.   

When you log into the RiskIQ portal, you will see the malicious activity on your network, as well as the networks of your customers, peers, and transit suppliers. RiskIQ provides unmatched real-time reputational IP and threat data against traffic, alerting you to upstream and downstream threats. If our platform sees a malicious customer on a peer's network and shows up on yours, we'll recognize them immediately.    

What You'll Get

We're offering you no-cost access to a powerful suite of tools on our platform for your Netflow data. With these tools, you'll gain: 

  • Early detection of malicious activities
  • An enhanced level of enrichment about the endpoints attempting to communicate with devices on your network.
  • Access to years of historical IP and reputation data
  • Pride from making traffic safer

Contact us to get started. All we need is the IP from which your network will send data so we can safelist it. 

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor