Tens of thousands of Microsoft Exchange servers worldwide could be vulnerable to a recently disclosed zero-day privilege escalation vulnerability that is already being actively exploited by threat actors.

The vulnerability, tracked as CVE-2024-21410, allows a remote, unauthenticated attacker to relay a user’s Windows NT LAN Manager (NTLM) credentials or “hashes” to impersonate legitimate users on vulnerable Exchange servers. This can enable pass-the-hash attacks where the stolen credentials are used to gain privileges on the Exchange server on the victim’s behalf.

Microsoft patched CVE-2024-21410 and several other vulnerabilities on February 13, 2024 as part of the monthly Patch Tuesday updates. However, the company revised its advisory a day later to flag CVE-2024-21410 as being a zero-day flaw that was already under active exploitation in the wild.

The vulnerability exists in Microsoft Exchange Server 2019 versions prior to the February Cumulative Update 14 (CU14) because NTLM credential relay protections (Extended Protection for Authentication) were not enabled by default. Without these protections, attackers can steal NTLM hashes from targets like Outlook and relay them against vulnerable Exchange servers.

According to the Shadowserver Foundation, nearly 28,000 Exchange servers are confirmed vulnerable to CVE-2024-21410, while another 68,000 are possibly vulnerable. The countries with the highest numbers of at-risk servers are Germany, the United States, and the United Kingdom.

Administrators should update to Exchange Server 2019 CU14 as soon as possible to get the latest protections and mitigations against this exploit. They should also verify NTLM relay protection is enabled on older Exchange versions that may also be vulnerable.

System admins are advised to apply the available patches immediately.

Secure your Exchange Servers

When a server is compromised by a cyber attack, time is of the essence in responding. The faster a breach can be detected and containment actions taken, the less damage the attackers can inflict. Every minute that passes allows adversaries to further infiltrate systems, escalate privileges, and quietly expand their access.

Security analysts suggest compromised servers are leveraged in under 90 minutes. Messageware Z-Day Guard catches changes to your server baseline instantly, and sends you alerts to respond long before this threat window closes.

Protect your Microsoft Exchange Servers from zero-day attacks with Next-Generation threat hunting: