Open Nav
Sign Up

Critical Zero-Day Vulnerability in Microsoft Exchange Server Exploited Prior to Patch (CVE-2024-21410)

Bar Refael

February 15, 2024

Microsoft has issued an urgent security advisory regarding a critical vulnerability in its Exchange Server product, identified as CVE-2024-21410. This vulnerability was actively exploited as a zero-day before being addressed in the recent Patch Tuesday update. The flaw allows remote, unauthenticated attackers to escalate privileges through NTLM relay attacks on vulnerable Exchange Server versions. Microsoft has responded by releasing a patch in Exchange Server 2019 Cumulative Update 14 (CU14), which includes NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA).

Vulnerability Details:

  • CVE ID: CVE-2024-21410
  • Severity: Critical
  • Impact: Privilege Escalation through NTLM Relay Attacks
  • Affected Versions: Vulnerable Microsoft Exchange Server versions
  • Remediation: Apply Exchange Server 2019 Cumulative Update 14 (CU14) to enable NTLM credentials Relay Protections (EPA)

Mitigation and Recommendations:

  • Immediate Action: Customers are advised to promptly apply the CU14 update to their Exchange servers to mitigate the risk of exploitation.
  • Extended Protection (EP): EP is now automatically enabled by default on all Exchange servers after installing the CU14 update. This feature strengthens Windows Server authentication functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.
  • Environment Evaluation: Before enabling EP on Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft’s documentation for the EP toggle script to avoid breaking functionality.
  • Monitoring and Vigilance: Customers are encouraged to monitor their systems for any signs of compromise and remain vigilant for any related security updates or advisories from Microsoft.

Additional Notes:

In a separate but related advisory, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during the same Patch Tuesday update. Customers are advised to ensure that their Outlook applications are also updated to the latest version to address this vulnerability.

Stay safe and informed,

OP Innovate Research Team.

Resources highlights

Cisco Unified CM Vulnerability CVE-2026-20230 Targeted After Public PoC Disclosure 

Cisco has disclosed and patched CVE-2026-20230, a critical SSRF vulnerability affecting Cisco Unified Communications Manager and Unified CM SME when the WebDialer service is enabled.…

Read more >

CVE-2026-20230

Microsoft Confirms Unpatched RoguePlanet Defender Zero-Day (CVE-2026-50656)

Microsoft has confirmed a new Microsoft Defender zero-day vulnerability tracked as CVE-2026-50656 and publicly referred to as RoguePlanet. The flaw affects the Microsoft Malware Protection…

Read more >

RoguePlanet_cve-2026-50656

FortiBleed Campaign Exposes Fortinet Firewall and VPN Credentials at Scale

A large-scale credential abuse campaign dubbed FortiBleed has reportedly affected tens of thousands of Fortinet firewall and VPN devices worldwide. Public reporting indicates that threat…

Read more >

fortibleed

Fortinet FortiSandbox Under Active Attack (CVE-2026-39813 & Others)

Threat actors are actively exploiting multiple critical vulnerabilities affecting Fortinet FortiSandbox. The reported activity involves three unauthenticated vulnerabilities: CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. These flaws are…

Read more >

cve-2026-39813

Critical Wazuh Manager Vulnerability Enables Alert Tampering and Security Evidence Deletion

A critical vulnerability has been disclosed in Wazuh Manager that could allow attackers to tamper with security data, delete alerts, and manipulate forensic evidence stored…

Read more >

wazuh manager vulnerability

Critical Check Point VPN Zero-Day Exploited in Attacks Linked to Qilin Ransomware (CVE-2026-50751)

Check Point has released emergency security updates for a critical authentication bypass vulnerability affecting specific Remote Access VPN and Mobile Access deployments. Tracked as CVE-2026-50751,…

Read more >

cve-2026-50751
Under Cyber Attack?

Fill out the form and we will contact you immediately.