Over 350,000 of all Microsoft Exchange servers exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions. The vulnerability is present in the Exchange Control Panel (ECP) component on by default and it allows attackers to take over vulnerable servers using any previously stolen valid email credentials. Microsoft patched this bug on the February 2020 Patch Tuesday and tagged it with an “Exploitation More Likely”” exploitability index assessment.”
Source: https://www.bleepingcomputer.com/news/security/80-percent-of-all-exposed-exchange-servers-still-unpatched-for-critical-flaw/