30,000 organizations including small businesses, towns and local governments with an exchange server, i.e. anyone who runs their own exchange server was susceptible to getting hacked. Krebs on Security blogpost.
Also we have the following story:
White House cites ‘active threat,’ urges action despite Microsoft patch
The problem may be that if one was attacked and your exchange server was compromised because you did not patch it quick enough.
“Already, a source told Reuters more than 20,000 U.S. organizations had been compromised by the hack, which Microsoft has blamed on China, although Beijing denies any role.”
Of course Microsoft and the white house are recommending that the companies or entities running Exchange server need to patch or install a fixed exchange server software
This is a basic item that everyone who manages computers needs to know- the patching cycle and Zero-Days
An older image from a long ago blog post -discusses the details of the Patch cycle, with the vulnerability found, exploit released in the wild, discovered by vendor(here it is Microsoft) then the vulnerability was disclosed publicly in this case it an out of band (not on patch Tuesday) since Microsoft felt it was bad enough they could not wait for march 9th, and instead released the patch on March 3rd.
here is the official CERT release for the Microsoft Exchange threat.
https://us-cert.cisa.gov/ncas/alerts/aa21-062a