Open Nav
Sign Up

Critical Zero-Day Vulnerability in Microsoft Exchange Server Exploited Prior to Patch (CVE-2024-21410)

Bar Refael

February 15, 2024

Microsoft has issued an urgent security advisory regarding a critical vulnerability in its Exchange Server product, identified as CVE-2024-21410. This vulnerability was actively exploited as a zero-day before being addressed in the recent Patch Tuesday update. The flaw allows remote, unauthenticated attackers to escalate privileges through NTLM relay attacks on vulnerable Exchange Server versions. Microsoft has responded by releasing a patch in Exchange Server 2019 Cumulative Update 14 (CU14), which includes NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA).

Vulnerability Details:

  • CVE ID: CVE-2024-21410
  • Severity: Critical
  • Impact: Privilege Escalation through NTLM Relay Attacks
  • Affected Versions: Vulnerable Microsoft Exchange Server versions
  • Remediation: Apply Exchange Server 2019 Cumulative Update 14 (CU14) to enable NTLM credentials Relay Protections (EPA)

Mitigation and Recommendations:

  • Immediate Action: Customers are advised to promptly apply the CU14 update to their Exchange servers to mitigate the risk of exploitation.
  • Extended Protection (EP): EP is now automatically enabled by default on all Exchange servers after installing the CU14 update. This feature strengthens Windows Server authentication functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.
  • Environment Evaluation: Before enabling EP on Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft’s documentation for the EP toggle script to avoid breaking functionality.
  • Monitoring and Vigilance: Customers are encouraged to monitor their systems for any signs of compromise and remain vigilant for any related security updates or advisories from Microsoft.

Additional Notes:

In a separate but related advisory, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during the same Patch Tuesday update. Customers are advised to ensure that their Outlook applications are also updated to the latest version to address this vulnerability.

Stay safe and informed,

OP Innovate Research Team.

Resources highlights

React2Shell (CVE-2025-55182): Critical React RCE With Active China-Linked Exploitation

CVE-2025-55182, also known as React2Shell, is a critical unauthenticated remote-code-execution vulnerability in React Server Components (RSC) that allows attackers to execute arbitrary code on the…

Read more >

react2shell

OWASP Top 10 2025: Changes, Challenges, and What They Mean for Web App Security

The Open Web Application Security Project (OWASP) has released an updated OWASP Top 10 list for the first time in four years.  This list is…

Read more >

OWASP Top 10 2025

Securing Active Directory: Lessons From the Field

Active Directory interconnects users, devices, and servers in an enterprise, making it a high-value target for attackers. A breach in AD can grant adversaries the…

Read more >

Securing Active Directory

Google Chrome Zero-Day Actively Exploited: CVE-2025-13223

A new high-severity zero-day in Google Chrome is being actively exploited to compromise users through malicious websites. The vulnerability, tracked as CVE-2025-13223, is a type…

Read more >

CVE-2025-13223

Critical Remote Code Execution in WatchGuard Firebox VPN Appliances: CVE-2025-9242

A critical vulnerability in WatchGuard Firebox firewalls is being actively exploited to gain remote, unauthenticated code execution on perimeter devices. The flaw, tracked as CVE-2025-9242,…

Read more >

CVE-2025-9242

Critical Zero-Day in Samsung Galaxy Devices: CVE-2025-21042

A newly disclosed zero-day vulnerability in Samsung Galaxy smartphones has been actively exploited in the wild to deploy a sophisticated Android spyware framework known as…

Read more >

CVE-2025-21042
Under Cyber Attack?

Fill out the form and we will contact you immediately.