Thousands of Microsoft Exchange servers could be vulnerable to this dangerous security flaw

News
By Sead Fadilpašić
published

A privilege escalation flaw is being abused in the wild

How to prevent cyberattacks
(Image credit: Unsplash)

Tens of thousands of Microsoft Exchange servers are vulnerable to a flaw that is already being abused in the wild, experts have warned.

The vulnerability, tracked as CVE-2024-21410, is a privilege escalation flaw that allows threat actors to perform NTLM relay attacks on Microsoft Exchange Servers and escalate their privileges on the target endpoint. As a result, they could steal sensitive information and confidential data being shared via email, or could use the access as a stepping stone for more devastating attacks. 

It was discovered as a zero-day earlier this year, and patched on February 13, BleepingComputer reports, citing Shadowserver, which claims to have identified almost 100,000 potentially vulnerable servers. Of that number, 28,500 are confirmed to be vulnerable, while for the rest it’s unclear if the admins applied the patch yet, or not. 

Patch available, PoC not yet

The majority of the vulnerable instances are found in Germany (22,903), the United States (19,434), and the United Kingdom (3,665). Other notable mentions include France (3,074), Austria (2,987), Russia (2,771), Canada (2,554), and Switzerland (2,119).

The good news is that there is no publicly available Proof-of-Concept (PoC) exploit, which reduces the number of threat actors capable of exploiting CVE-2024-21410. The bad news is that the flaw is already being exploited in the wild by certain unnamed hackers. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) also added the flaw to its KEV (Known Exploited Vulnerabilities) catalog and gave federal organizations a deadline of March 7 to apply the patch or stop using the product. 

To secure their servers, administrators should apply the Exchange Server 2019 Cumulative Update 14 (CU14), which was released as part of the February 2024 Patch Tuesday update. This patch enables NTLM credentials Relay Protections, it was explained.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.