Microsoft warned on Wednesday that a newly addressed vulnerability in Exchange Server has been actively exploited in attacks.
Tracked as CVE-2024-21410 (CVSS score of 9.8), the critical-severity flaw is described as a privilege escalation issue that allows attackers to mount pass-the-hash attacks.
According to Microsoft, an attacker could exploit the bug to relay a user’s Net-NTLMv2 hash against a vulnerable server and authenticate as that user.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf,” Microsoft explains in its advisory.
The root cause of the vulnerability, the tech giant notes, is that NTLM credential relay protection, or Extended Protection for Authentication (EPA), was not enabled by default in Exchange Server 2019.
The issue has been addressed with the release of Exchange Server 2019 Cumulative Update 14 (CU14), which brings several other improvements and fixes as well.
Initially, Microsoft’s advisory on CVE-2024-21410 did not flag the bug as exploited, but the company updated it on Wednesday, to change the exploitation flag to “indicate that Microsoft was aware of exploitation of this vulnerability”.
The tech giant has shared no details on the observed exploitation attempts. Last year, however, Microsoft blamed a Russia-based threat actor for NTLM relay attacks targeting an Outlook zero-day.
On Wednesday, cybersecurity firm Check Point published details on another critical-severity Outlook vulnerability, CVE-2024-21413 (CVSS score of 9.8). Resolved on February 2024 Patch Tuesday, the bug allows attackers to bypass the Office Protected View and execute code remotely.
The issue can be triggered using crafted hyperlinks that utilize the ‘file://’ protocol, “followed by a specific path, an exclamation mark, and additional arbitrary characters”, Check Point, which named the flaw #MonikerLink, explains.
“The #MonikerLink bug allows for a wide and serious impact, varying from leaking of local NTLM credential information to arbitrary code execution. This is due to the misuse of the Component Object Model (COM) on Windows, where Outlook incorrectly parses a specially crafted hyperlink to access COM objects,” Check Point says.
Attacks exploiting CVE-2024-21413 are trivial, do not prompt security warnings or error messages, and can lead to data theft, malware execution, privilege escalation, and victim impersonation.
“Both individual users and organizations are urged to apply any patches or security updates provided by Microsoft, to follow recommended security practices, and to remain vigilant against suspicious hyperlinks and emails,” Check Point notes.
Related: Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE
Related: New NTLM Hash Leak Attacks Target Outlook, Windows Programs
