Advisory Release

Microsoft released the advisory for CVE-2024-21410 on February 13, 2024, as part of their February 2024 Patch Tuesday security updates. The vulnerability was quickly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on February 15, 2024, indicating confirmed exploitation in the wild and requiring federal agencies to take immediate remediation action.

Follow this link for a full list of Exchange Server vulnerabilities and CVEs

Key Details

CVE-2024-21410 is a critical elevation of privilege vulnerability in Microsoft Exchange Server with a CVSS score of 9.8. This vulnerability allows attackers to perform authentication replay attacks by exploiting the Net-NTLMv2 protocol.

The attack method involves targeting NTLM clients such as Microsoft Outlook with credential-leaking techniques. An attacker can capture a victim’s Net-NTLMv2 hash and relay it against a vulnerable Exchange server to authenticate as that user without needing to crack the password. This is essentially a “pass-the-hash” attack that allows the attacker to perform operations on the Exchange server with the victim’s privileges.

What makes this vulnerability particularly dangerous is its low complexity to exploit – any attacker who can capture Net-NTLMv2 credentials can leverage this vulnerability without requiring user privileges or interaction.

Affected Systems

The following Microsoft Exchange Server versions are vulnerable to CVE-2024-21410:

• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 13
• Microsoft Exchange Server 2019 Cumulative Update 14

According to Shadowserver, thousands of internet-facing Microsoft Exchange servers are still vulnerable, with some estimates suggesting up to 97,000 potentially affected IP addresses.

Exploit Status

As of May 2025, CVE-2024-21410 continues to be actively exploited in the wild. The vulnerability was added to CISA’s KEV catalog in February 2024, confirming active exploitation.

While no formal attribution has been assigned to the attacks, security researchers have noted similarities to techniques used by Russian-backed threat actor APT28, which is known for exploiting NTLM vulnerabilities and using access token manipulation and token impersonation/theft techniques to target email servers.

Nation-state affiliated hacking groups such as APT28 and Hafnium have a history of exploiting flaws in Microsoft Outlook to stage NTLM relay attacks, making this vulnerability particularly attractive to sophisticated threat actors.

Technical Impact

Successful exploitation of CVE-2024-21410 has severe consequences:

• Privilege Escalation: Attackers can gain unauthorized access with the privileges of the compromised user account
• Authentication Bypass: The vulnerability allows attackers to authenticate as legitimate users without knowing their passwords
• Unauthorized Operations: Once authenticated, attackers can perform operations on the Exchange server on behalf of the victim
• Data Compromise: The vulnerability poses a high threat to all aspects of the CIA triad (Confidentiality, Integrity, Availability)
• Persistent Access: Attackers may establish persistence within the network for long-term exploitation

The vulnerability is particularly concerning because it doesn’t require the captured Net-NTLMv2 hash to be cracked – it can be replayed directly for exploitation, making it a low-effort, high-impact attack vector.

Recommendations

1. Apply Security Updates Immediately: Install Microsoft’s February 2024 security updates to patch CVE-2024-21410 on all affected Exchange Server installations.
2. Enable Extended Protection for Authentication (EPA): Microsoft has enabled EPA by default in Exchange Server 2019 Cumulative Update 14 (CU14) to mitigate this vulnerability. Enable this protection on your systems.
3. Implement Network Segmentation: Restrict access to Exchange servers, particularly from the internet, and implement proper network segmentation to limit lateral movement in case of compromise.
4. Monitor for Suspicious Activity: Implement enhanced monitoring for unusual authentication attempts, suspicious PowerShell commands, and other indicators of compromise on Exchange servers.
5. Implement Multi-Factor Authentication: Where possible, implement MFA for Exchange access to provide an additional layer of security.
6. Upgrade Legacy Systems: If running older, unsupported versions of Exchange, prioritize migration to supported versions that receive security updates.

References

• Microsoft Security Update Guide for CVE-2024-21410
• CISA Known Exploited Vulnerabilities Catalog (February 15, 2024)
• Belgian Centre for Cybersecurity (CCB) Advisory (February 15, 2024)
• Shadowserver Foundation: Exchange Server Vulnerability Report

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.