A critical vulnerability in Microsoft Exchange Server, identified as CVE-2024-21410, has been reported to be actively exploited by threat actors.
This zero-day flaw allows remote unauthenticated attackers to perform NTLM relay attacks and escalate their privileges on the system. As of the latest reports, over 28,500 Exchange servers remain vulnerable to this security issue.
Privilege Escalation 0-day Flaw
The CVE-2024-21410 vulnerability enables attackers to force a network device to authenticate against an NTLM relay server under their control.
This allows them to impersonate the targeted devices and elevate privileges.
Microsoft discovered the flaw internally, and it has been addressed in the Exchange Server 2019 Cumulative Update 14 (CU14), which enables NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA).
As per the latest Shadow Server reports, it has been found that roughly 97,000 servers that are vulnerable have been exposed over the Internet.
Mitigation Strategies
Microsoft has provided mitigation strategies to protect against this vulnerability.
The key mitigation involves enabling Extended Protection (EP) on Exchange servers, which is designed to strengthen Windows Server authentication functionality by mitigating relay and man-in-the-middle (MitM) attacks.
EP will be automatically enabled by default on all Exchange servers after installing the 2024 H1 Cumulative Update (CU14).
For previous versions of Exchange Server, such as Exchange Server 2016, administrators can activate EP using the ExchangeExtendedProtectionManagement PowerShell script provided by Microsoft.
It is crucial to promptly apply these mitigations to protect against attacks targeting unpatched devices.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.