Exchange servers are at risk from a critical vulnerability identified as CVE-2024-21410, which was discussed a few days ago. This vulnerability allows unauthenticated remote attackers to launch NTLM RELAY attacks on Microsoft Exchange servers and escalate their privileges within the system.
Widely utilized in business environments, Exchange Server enables communication and collaboration among users by offering email services, calendars, contact management, and task organization.
On February 13, Microsoft patched the aforementioned vulnerability, which was already being exploited as a Zero-day. Subsequently, on February 19, the Shadowserver threat monitoring service revealed that approximately 97,000 servers were potentially vulnerable. Among these, 68,500 servers may be vulnerable depending on whether administrators have taken measures to mitigate the consequences, with 28,500 servers directly susceptible to CVE-2024-21410.
The most affected countries by these potential hacker attacks are as follows:
- Germany – 22,903 servers;
- United States – 19,434 servers;
- Great Britain – 3,665 servers;
- France – 3,074 servers;
- Austria – 2,987 servers;
- Russia – 2,771 servers;
- Canada – 2,554 servers;
- Switzerland – 2,119 servers.
At present, there is no publicly available POC-Exflict for CVE-2024-21410, which somewhat limits the number of attackers exploiting this vulnerability. To address CVE-2024-21410, system administrators are urged to install Cumulative Update 14 (CU14) for Exchange Server 2019, which was included in the latest Patch Tuesday update and provides protection against NTLM interception.
The Cybersecurity and Infrastructure Security Agency (CISA) in the US added CVE-2024-21410 to its “Known Exploited Vulnerabilities” (KEV) catalog, giving federal agencies until March 7, 2024, to implement updates, mitigation measures, or discontinue the use of the affected