Critical Security Flaw Actively Exploited, Leaving Over 28,500 Exchange Servers at Risk

February 19, 2024

A critical severity privilege escalation flaw, known as CVE-2024-21410, is currently being exploited, putting as many as 97,000 Microsoft Exchange servers at risk. Microsoft addressed the flaw on February 13, when it had already been exploited as a zero-day. As of now, 28,500 servers have been confirmed as vulnerable.

Microsoft Exchange Server, popular in business environments for facilitating communication and collaboration, provides services such as email, calendar, contact management, and task management. The security flaw enables remote unauthenticated actors to carry out NTLM relay attacks on Microsoft Exchange Servers and escalate their privileges on the system.

Today, threat monitoring service Shadowserver reported that its scanners have identified approximately 97,000 potentially vulnerable servers. Of these, around 68,500 servers' vulnerability status depends on whether administrators have applied mitigations, while 28,500 are confirmed to be vulnerable to CVE-2024-21410. The countries most affected include Germany, the United States, the United Kingdom, France, Austria, Russia, Canada, and Switzerland.

Currently, there is no publicly available proof-of-concept (PoC) exploit for CVE-2024-21410, which somewhat restricts the number of attackers utilizing the flaw. To address CVE-2024-21410, system administrators are advised to apply the Exchange Server 2019 Cumulative Update 14 (CU14) update, released during the February 2024 Patch Tuesday, which enables NTLM credentials Relay Protections.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has also added CVE-2024-21410 to its 'Known Exploited Vulnerabilities' catalog, mandating federal agencies to apply the available updates/mitigations by March 7, 2024, or discontinue using the product. Exploitation of CVE-2024-21410 can have severe implications for an organization as attackers with elevated permissions on an Exchange Server can access confidential data like email communication and use the server as a launchpad for further attacks on the network.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.