UK Electoral Commission had an unpatched Microsoft Exchange Server vulnerability

The report examines how Microsoft Exchange Server 2016 (version 15.1.2507.12) was vulnerable to the ProxyNotShell zero-day in late September 2022; Microsoft initially provided mitigations that were repeatedly bypassed until a full security update in November 2022, and the flaw allowed remote code execution and potential full network compromise of affected Exchange deployments, with real-world impact illustrated by the Rackspace Hosted Exchange breach.