Thousands of Microsoft Exchange servers could be vulnerable to this dangerous security flaw

A privilege escalation flaw is being abused in the wild

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Tens of thousands ofMicrosoftExchange servers are vulnerable to a flaw that is already being abused in the wild, experts have warned.

The vulnerability, tracked as CVE-2024-21410, is a privilege escalation flaw that allows threat actors to perform NTLM relay attacks on Microsoft Exchange Servers and escalate their privileges on the target endpoint. As a result, they could steal sensitive information and confidential data being shared via email, or could use the access as a stepping stone for more devastating attacks.

It was discovered as a zero-day earlier this year, and patched on February 13,BleepingComputerreports, citing Shadowserver, which claims to have identified almost 100,000 potentially vulnerable servers. Of that number, 28,500 are confirmed to be vulnerable, while for the rest it’s unclear if the admins applied the patch yet, or not.

Patch available, PoC not yet

The majority of the vulnerable instances are found in Germany (22,903), the United States (19,434), and the United Kingdom (3,665). Other notable mentions include France (3,074), Austria (2,987), Russia (2,771), Canada (2,554), and Switzerland (2,119).

The good news is that there is no publicly available Proof-of-Concept (PoC) exploit, which reduces the number of threat actors capable of exploiting CVE-2024-21410. The bad news is that the flaw is already being exploited in the wild by certain unnamed hackers. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) also added the flaw to its KEV (Known Exploited Vulnerabilities) catalog and gave federal organizations a deadline of March 7 to apply the patch or stop using the product.

To secure their servers, administrators should apply the Exchange Server 2019 Cumulative Update 14 (CU14), which was released as part of the February 2024 Patch Tuesday update. This patch enables NTLM credentials Relay Protections, it was explained.

More from TechRadar Pro

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics