Weeks after software bugs were first uncovered by Microsoft, thousands of Exchange Servers are still unpatched. But even updated systems might be breached, Brandon Wales, the acting CISA (the Cybersecurity and Infrastructure Security Agency) director, said.

“I want to reinforce this at every opportunity I have. We have long believed that you should patch your systems, make sure you’ve applied those security updates because it’s essential to protecting your networks. But, and particularly, in this case, patching is not sufficient,” Wales said during The Cipher Brief Webinar.

The CyberNews investigation team found 62,174 potentially vulnerable unpatched Microsoft Exchange Servers. The vulnerability is still being actively exploited, most famously by the China-linked malicious actors.

, Patched Microsoft Exchange Servers give a false sense of security, says CISA’s Brandon Wales

But patched systems might have  already been compromised if hackers breached them before they were updated.

“We know that multiple adversaries have compromised networks prior to patches being applied. And if you apply a patch, your system may still be compromised, the adversary can still be inside of your network, still be able to utilize you to attack others and disrupt your operations,” Wales said.

So companies, even those that have applied patches, should make sure that their systems are not breached. When the software bugs were first uncovered, more than 120,000 entities in the US alone were found vulnerable.

“You should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that,” he said.

Tens of thousands of compromised Microsoft Exchange Servers are already patched. However, that does not mean companies are safe.

“Those system operators could be under a false sense of security, they could believe that they have been protected, but in fact, it’s too late,” Wales explained.

He recommended visiting CISA’s page for further guidance.

“It will have and point to the resources that are not just CISA’s. Microsoft has released a great tool geared towards those small and medium-sized businesses that are one click to identify whether their system has been compromised. We encourage people to go there and use those tools and read the Microsoft blog,” Wales said.

The Microsoft vulnerabilities attracted attention even from the White House.

“The cost of cyber incident response weighs particularly heavily on small businesses. Hence, we requested that Microsoft help small businesses with a simple solution to this incident. In response, Microsoft has released a one-click mitigation tool. We encourage every business or organization that has not yet fully patched and scanned their Exchange Server to download and run this free tool,” a statement by the White House says.