Critical MS Exchange Server vulnerability actively attacked, one day after patch release
Take action: Time to quickly patch your Exchange server. While the issue may not be hacked tomorrow, attackers will attempt these exploits for a long time. Review the instructions of Microsoft and patch ASAP.
Learn More
Microsoft alerts users that a critical vulnerability in Exchange Server,is actively exploited as a zero-day as the company issued a fix during its Patch Tuesday updates.
The vulnerability, tracked as CVE-2024-21410 (CVSS score 9.8) allows remote, unauthenticated attackers to escalate privileges via NTLM relay attacks. Attackers exploit this flaw by tricking a network device to authenticate against a rogue NTLM relay server, enabling them to impersonate targeted devices and elevate privileges.
In these attacks, an adversary could exploit a vulnerability in an NTLM client like Outlook to leak NTLM credentials. These credentials could then be relayed to compromise an Exchange Server, allowing the attacker to impersonate the victim and perform actions on the server on their behalf.
The vulnerability affects various versions of Microsoft Exchange Server, causing Microsoft to implement Extended Protection for Authentication (EPA) in the Exchange Server 2019 Cumulative Update 14 (CU14) to mitigate the risk.
The most impacted countries are:
- Germany (22,903 instances),
- United States (19,434),
- United Kingdom (3,665),
- France (3,074), Austria (2,987),
- Russia (2,771),
- Canada (2,554),
- Switzerland (2,119).
Of those 97,000, at least 28,500 are confirmed to be vulnerable to CVE-2024-21410.
Microsoft reported that after the installation of this month's 2024 H1 Cumulative Update (CU14), Extended Protection (EP) will be activated by default on all Exchange servers. On older versions of Exchange Server, including Exchange Server 2016, administrators have the option to activate the ExchangeExtendedProtectionManagement PowerShell script to secure systems against attacks aimed at devices not patched for CVE-2024-21410.
