Open Nav
Sign Up

Critical Zero-Day Vulnerability in Microsoft Exchange Server Exploited Prior to Patch (CVE-2024-21410)

Bar Refael

February 15, 2024

Microsoft has issued an urgent security advisory regarding a critical vulnerability in its Exchange Server product, identified as CVE-2024-21410. This vulnerability was actively exploited as a zero-day before being addressed in the recent Patch Tuesday update. The flaw allows remote, unauthenticated attackers to escalate privileges through NTLM relay attacks on vulnerable Exchange Server versions. Microsoft has responded by releasing a patch in Exchange Server 2019 Cumulative Update 14 (CU14), which includes NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA).

Vulnerability Details:

  • CVE ID: CVE-2024-21410
  • Severity: Critical
  • Impact: Privilege Escalation through NTLM Relay Attacks
  • Affected Versions: Vulnerable Microsoft Exchange Server versions
  • Remediation: Apply Exchange Server 2019 Cumulative Update 14 (CU14) to enable NTLM credentials Relay Protections (EPA)

Mitigation and Recommendations:

  • Immediate Action: Customers are advised to promptly apply the CU14 update to their Exchange servers to mitigate the risk of exploitation.
  • Extended Protection (EP): EP is now automatically enabled by default on all Exchange servers after installing the CU14 update. This feature strengthens Windows Server authentication functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.
  • Environment Evaluation: Before enabling EP on Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft’s documentation for the EP toggle script to avoid breaking functionality.
  • Monitoring and Vigilance: Customers are encouraged to monitor their systems for any signs of compromise and remain vigilant for any related security updates or advisories from Microsoft.

Additional Notes:

In a separate but related advisory, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during the same Patch Tuesday update. Customers are advised to ensure that their Outlook applications are also updated to the latest version to address this vulnerability.

Stay safe and informed,

OP Innovate Research Team.

Resources highlights

CVE-2026-21509: Actively Exploited Microsoft Office Security Bypass

CVE-2026-21509 is a zero-day security feature bypass vulnerability in Microsoft Office that has been confirmed as actively exploited in the wild. The flaw allows adversaries…

Read more >

cve-2026-21509

Guidance to Address Ongoing Exploitation of Fortinet SSO Vulnerability (CVE-2026-24858)

CVE-2026-24858 is a critical authentication bypass in FortiCloud Single Sign-On (SSO) that can allow an attacker with a FortiCloud account and a registered device to…

Read more >

cve-2026-24858

CVE-2024-37079: VMware vCenter Server DCERPC Heap Overflow (RCE)

CVE-2024-37079 is a critical remote code execution (RCE) vulnerability in VMware vCenter Server caused by a heap overflow in the DCERPC protocol implementation. On January…

Read more >

cve-2024-37079

CVE-2026-24061: GNU Inetutils telnetd Remote Authentication Bypass

CVE-2026-24061 is a pre-authentication remote authentication bypass in GNU Inetutils telnetd. The flaw carries a Critical CVSS:3.1 severity score of 9.8 and allows an attacker…

Read more >

CVE-2026-24061

CVE-2026-0227: PAN-OS GlobalProtect Denial-of-Service Vulnerability

CVE-2026-0227 is a high-severity denial-of-service vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access deployments where GlobalProtect Gateway or Portal is enabled. The flaw allows…

Read more >

cve-2026-0227

CVE-2026-20805: Windows Desktop Window Manager (DWM) Zero-Day

CVE-2026-20805 is a Windows Desktop Window Manager (DWM) information disclosure vulnerability that has been exploited in the wild as a zero-day.While the CVSS v3.1 base…

Read more >

cve-2026-20805
Under Cyber Attack?

Fill out the form and we will contact you immediately.