cbcvebase.
CVE-2024-21410
published 2024-02-13

CVE-2024-21410: Microsoft Exchange Server Elevation of Privilege Vulnerability

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-03-07
Exploited in the wild
EPSS
12.66%
95.8th percentile
Microsoft Exchange Server Elevation of Privilege Vulnerability

Affected

8 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2016_cumulative_update_23>= 15.01.0 < 15.01.2507.03715.01.2507.037
microsoftmicrosoft_exchange_server_2019_cumulative_update_13>= 15.02.0 < 15.2.1544.00415.2.1544.004
microsoftmicrosoft_exchange_server_2019_cumulative_update_14>= 15.02.0 < 15.2.1544.00415.2.1544.004
msrcmicrosoft_exchange_server_2016_cumulative_update_23
msrcmicrosoft_exchange_server_2019_cumulative_update_13
msrcmicrosoft_exchange_server_2019_cumulative_update_14

Detection & IOCsextracted from sources · hover to see the quote

otherNet-NTLMv2 hash relay against Exchange Server
  • Check Exchange servers for absence of Extended Protection for Authentication (EPA/NTLM credentials Relay Protections); unpatched servers without EP enabled are confirmed vulnerable.
  • Identify Exchange servers exposed via Outlook Web Access (OWA) on the internet without Extended Protection enabled as high-priority targets for this NTLM relay attack.
  • Monitor Exchange Web Services (EWS) for anomalous authenticated access patterns that may indicate post-exploitation data exfiltration following a successful NTLM relay.
  • Verify Exchange Server build numbers against patched versions; flag servers below the following builds as vulnerable: Exchange 2019 CU14 Mar24SU (15.2.1544.9), Exchange 2019 CU13 Mar24SU (15.2.1258.32), Exchange 2016 CU23 Mar24SU (15.1.2507.37).
  • ·Enabling Extended Protection (EP) may break functionality if SSL bridging is in use or if there are TLS configuration mismatches between client and server; opt-out is available during CU14 Setup.
  • ·Exchange servers older than the August 2022 SU do not support Extended Protection and will break server-to-server communication with EP-enabled servers; they are considered persistently vulnerable.
  • ·No publicly available PoC exploit existed at time of reporting, which somewhat limits attacker pool but does not eliminate active exploitation risk given CISA KEV listing.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.