Open Nav
Sign Up

Critical Zero-Day Vulnerability in Microsoft Exchange Server Exploited Prior to Patch (CVE-2024-21410)

Bar Refael

February 15, 2024

Microsoft has issued an urgent security advisory regarding a critical vulnerability in its Exchange Server product, identified as CVE-2024-21410. This vulnerability was actively exploited as a zero-day before being addressed in the recent Patch Tuesday update. The flaw allows remote, unauthenticated attackers to escalate privileges through NTLM relay attacks on vulnerable Exchange Server versions. Microsoft has responded by releasing a patch in Exchange Server 2019 Cumulative Update 14 (CU14), which includes NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA).

Vulnerability Details:

  • CVE ID: CVE-2024-21410
  • Severity: Critical
  • Impact: Privilege Escalation through NTLM Relay Attacks
  • Affected Versions: Vulnerable Microsoft Exchange Server versions
  • Remediation: Apply Exchange Server 2019 Cumulative Update 14 (CU14) to enable NTLM credentials Relay Protections (EPA)

Mitigation and Recommendations:

  • Immediate Action: Customers are advised to promptly apply the CU14 update to their Exchange servers to mitigate the risk of exploitation.
  • Extended Protection (EP): EP is now automatically enabled by default on all Exchange servers after installing the CU14 update. This feature strengthens Windows Server authentication functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.
  • Environment Evaluation: Before enabling EP on Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft’s documentation for the EP toggle script to avoid breaking functionality.
  • Monitoring and Vigilance: Customers are encouraged to monitor their systems for any signs of compromise and remain vigilant for any related security updates or advisories from Microsoft.

Additional Notes:

In a separate but related advisory, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during the same Patch Tuesday update. Customers are advised to ensure that their Outlook applications are also updated to the latest version to address this vulnerability.

Stay safe and informed,

OP Innovate Research Team.

Resources highlights

CVE-2026-42945: Actively Exploited NGINX Rewrite Module Vulnerability Enables Worker Crashes and Possible RCE

CVE-2026-42945 is a heap-based buffer overflow vulnerability affecting NGINX Plus and NGINX Open Source. The flaw exists in the ngx_http_rewrite_module and can be triggered through…

Read more >

CVE-2026-42945

CVE Overload is Here: Why Regular Penetration Testing Matters More Than Ever

On 15 April 2026, NIST made a change that every security leader should pay attention to. The National Vulnerability Database is no longer trying to…

Read more >

CVE overload

CVE-2026-20182: Actively Exploited Cisco Catalyst SD-WAN Vulnerability Enables Admin Access

Cisco has disclosed a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller, formerly vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage. The vulnerability, tracked…

Read more >

cve-2026-20182-cisco-catalyst-sd-wan-admin-access

CVE-2026-44277 & CVE-2026-26083: Critical Fortinet Vulnerabilities Enable Unauthenticated Code Execution

Fortinet has released security updates for two critical vulnerabilities affecting FortiAuthenticator and FortiSandbox. Both vulnerabilities are rated Critical, carry a CVSS score of 9.1, and…

Read more >

cve-2026-44277, cve-2026-26083

CVE-2026-6973: Actively Exploited Ivanti EPMM Vulnerability Enables RCE

Ivanti has released security updates for Ivanti Endpoint Manager Mobile (EPMM) after confirming limited in-the-wild exploitation of CVE-2026-6973, a high-severity remote code execution vulnerability affecting…

Read more >

CVE-2026-6973

CVE-2026-0300: Actively Exploited Palo Alto PAN-OS Vulnerability Enables Root-Level RCE

Palo Alto Networks has disclosed a critical PAN-OS vulnerability, tracked as CVE-2026-0300, affecting the User-ID Authentication Portal, also known as the Captive Portal. The flaw…

Read more >

cve-2026-0300
Under Cyber Attack?

Fill out the form and we will contact you immediately.