CVE-2024-21410
published 2024-02-13CVE-2024-21410: Microsoft Exchange Server Elevation of Privilege Vulnerability
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-03-07
Exploited in the wild
EPSS
12.66%
95.8th percentile
Microsoft Exchange Server Elevation of Privilege Vulnerability
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2016_cumulative_update_23 | >= 15.01.0 < 15.01.2507.037 | 15.01.2507.037 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_13 | >= 15.02.0 < 15.2.1544.004 | 15.2.1544.004 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_14 | >= 15.02.0 < 15.2.1544.004 | 15.2.1544.004 |
| msrc | microsoft_exchange_server_2016_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_13 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_14 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check Exchange servers for absence of Extended Protection for Authentication (EPA/NTLM credentials Relay Protections); unpatched servers without EP enabled are confirmed vulnerable. ↗
- →Identify Exchange servers exposed via Outlook Web Access (OWA) on the internet without Extended Protection enabled as high-priority targets for this NTLM relay attack. ↗
- →Monitor Exchange Web Services (EWS) for anomalous authenticated access patterns that may indicate post-exploitation data exfiltration following a successful NTLM relay. ↗
- →Verify Exchange Server build numbers against patched versions; flag servers below the following builds as vulnerable: Exchange 2019 CU14 Mar24SU (15.2.1544.9), Exchange 2019 CU13 Mar24SU (15.2.1258.32), Exchange 2016 CU23 Mar24SU (15.1.2507.37). ↗
- ·Enabling Extended Protection (EP) may break functionality if SSL bridging is in use or if there are TLS configuration mismatches between client and server; opt-out is available during CU14 Setup. ↗
- ·Exchange servers older than the August 2022 SU do not support Extended Protection and will break server-to-server communication with EP-enabled servers; they are considered persistently vulnerable. ↗
- ·No publicly available PoC exploit existed at time of reporting, which somewhat limits attacker pool but does not eliminate active exploitation risk given CISA KEV listing. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Exchange Server Privilege Escalation Vulnerability
cisa·2024-02-15·CVSS 9.8
CVE-2024-21410 [CRITICAL] CWE-287 Microsoft Exchange Server Privilege Escalation Vulnerability
Vulnerability: Microsoft Exchange Server Privilege Escalation Vulnerability
Affected: Microsoft Exchange Server
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410; https://nvd.nist.gov/vuln/detail/CVE-2024-21410
Remediation Due Date: 2024-03-07
Microsoft
Microsoft Exchange Server Elevation of Privilege Vulnerability
vendor_msrc·2024-02-13·CVSS 9.8
CVE-2024-21410 [CRITICAL] CWE-287 Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server Elevation of Privilege Vulnerability
FAQ: Where can I find more information about NTLM relay attacks?
Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.
FAQ: How could an attacker exploit this vulnerability?
An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange ser
GHSA
GHSA-mv5v-r4x4-qmxw: Microsoft Exchange Server Elevation of Privilege Vulnerability
ghsa_unreviewed·2024-02-13
CVE-2024-21410 [CRITICAL] CWE-287 GHSA-mv5v-r4x4-qmxw: Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server Elevation of Privilege Vulnerability
VulnCheck
Microsoft Exchange Server Privilege Escalation Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-21410 [CRITICAL] CWE-287 Microsoft Exchange Server Privilege Escalation Vulnerability
Microsoft Exchange Server Privilege Escalation Vulnerability
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
Affected: Microsoft Exchange Server
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Feb; https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21410; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2024-03-07
No detection rules found.
No public exploits indexed.
Wiz
What Are Zero-Day Exploits? | Wiz
blogs_wiz·2025-10-10
What Are Zero-Day Exploits? | Wiz
## What are zero-day exploits?
Zero-day exploits (aka 0-days) pose the ultimate cybersecurity challenge: When attackers weaponize software vulnerabilities that developers, security researchers, and defensive systems haven’t detected, you have exactly zero days of advance warning before the hidden flaws in your software, hardware, or firmware cost you.
## Get a Free 1-on-1 Vulnerability Assessment
Learn what makes Wiz the platform to enable your cloud security operation
Here’s how these attacks unfold:
Attackers discover vulnerabilities through reverse engineering, fuzzing, or analyzing software patches.
They develop reliable exploit code that triggers flaws consistently across diverse environments.
Once perfected, exploits enter active deployment, with threat actors targeting specif
Wiz
What Are Zero-Day Exploits? | Wiz
blogs_wiz·2025-10-10
What Are Zero-Day Exploits? | Wiz
## What are zero-day exploits?
Zero-day exploits (aka 0-days) pose the ultimate cybersecurity challenge: When attackers weaponize software vulnerabilities that developers, security researchers, and defensive systems haven’t detected, you have exactly zero days of advance warning before the hidden flaws in your software, hardware, or firmware cost you.
###### Get a Free 1-on-1 Vulnerability Assessment
Learn what makes Wiz the platform to enable your cloud security operation
Here’s how these attacks unfold:
1. Attackers discover vulnerabilities through reverse engineering, fuzzing, or analyzing software patches.
2. They develop reliable exploit code that triggers flaws consistently across diverse environments.
3. Once perfected, exploits enter active deployment, with threat actors targe
Bleepingcomputer
Germany warns of 17K vulnerable Microsoft Exchange servers exposed online
blogs_bleepingcomputer·2024-03-26
Germany warns of 17K vulnerable Microsoft Exchange servers exposed online
## Germany warns of 17K vulnerable Microsoft Exchange servers exposed online
## Sergiu Gatlan
The German national cybersecurity authority warned on Tuesday that it found at least 17,000 Microsoft Exchange servers in Germany exposed online and vulnerable to one or more critical security vulnerabilities.
According to the German Federal Office for Information Security (BSI), around 45,000 Microsoft Exchange servers in Germany have Outlook Web Access (OWA) enabled and are accessible from the Internet.
Approximately 12% of these servers still use outdated versions of Exchange (2010 or 2013), which have not received security updates since October 2020 and April 2023, respectively.
For the Exchange 2016 or 2019 servers exposed online, roughly 28% have not been patched for at least four month
Bleepingcomputer
Over 28,500 Exchange servers vulnerable to actively exploited bug
blogs_bleepingcomputer·2024-02-19·CVSS 9.8
[CRITICAL] Over 28,500 Exchange servers vulnerable to actively exploited bug
## Over 28,500 Exchange servers vulnerable to actively exploited bug
## Bill Toulas
The security issue allows remote unauthenticated actors to perform NTLM relay attacks on Microsoft Exchange Servers and escalate their privileges on the system.
Today, threat monitoring service Shadowserver announced that its scanners have identified approximately 97,000 potentially vulnerable servers.
Out of the total 97,000, the vulnerable state for an estimated 68,500 servers depends on whether administrators applied mitigations, while 28,500 are confirmed to be vulnerable to CVE-2024-21410.
The most impacted countries are Germany (22,903 instances), the United States (19,434), the United Kingdom (3,665), France (3,074), Austria (2,987), Russia (2,771), Canada (2,554), and Switzerland (2,119).
Curr
Bleepingcomputer
Microsoft Exchange update enables Extended Protection by default
blogs_bleepingcomputer·2024-02-14·CVSS 8.0
[HIGH] Microsoft Exchange update enables Extended Protection by default
## Microsoft Exchange update enables Extended Protection by default
## Sergiu Gatlan
"If your servers are not ready for using EP (for example, they use SSL bridging or there are mismatches between client and server TLS configuration), and you do not opt out of EP enablement during Setup, it is possible that some functionality may break after installing CU14."
Admins are advised to evaluate their environments and review the issues mentioned in the documentation of the Microsoft-provided ExchangeExtendedProtectionManagement PowerShell script before toggling EP on their Exchange servers (this script automatically updates itself on systems connected to the Internet).
If encountering issues after EP is enabled, admins can either ensure that all EP prerequisites are met or use the script to
Bleepingcomputer
Microsoft: New critical Exchange bug exploited as zero-day
blogs_bleepingcomputer·2024-02-14·CVSS 9.8
[CRITICAL] Microsoft: New critical Exchange bug exploited as zero-day
## Microsoft: New critical Exchange bug exploited as zero-day
## Sergiu Gatlan
"An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability," Microsoft explains .
"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.
"An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user."
## Mitigation via Exchange Extended Protection
The Exchange Server 2019 Cumulative Update 14 (CU14) update released during the February 2024 Patch Tuesday addresses this vulnerability by enabling NTLM credentials Relay Protecti
Tenable
Microsoft’s February 2024 Patch Tuesday Addresses 73 CVEs (CVE-2024-21351, CVE-2024-21412)
blogs_tenable·2024-02-13·CVSS 7.6
[HIGH] Microsoft’s February 2024 Patch Tuesday Addresses 73 CVEs (CVE-2024-21351, CVE-2024-21412)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
blogs_bleepingcomputer·2024-02-13·CVSS 7.6
[HIGH] Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
## Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
## Lawrence Abrams
16 Elevation of Privilege Vulnerabilities
3 Security Feature Bypass Vulnerabilities
30 Remote Code Execution Vulnerabilities
5 Information Disclosure Vulnerabilities
9 Denial of Service Vulnerabilities
10 Spoofing Vulnerabilities
The total count of 73 flaws does not include 6 Microsoft Edge flaws fixed on February 8th and 1 Mariner flaw.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034765 cumulative update and the Windows 10 KB5034763 update .
## Two zero-days fixed
This month's Patch Tuesday fixes two actively exploited zero-day vulnerabilities, which Microsoft classifies as a flaw that is publicly disclosed or ac
Qualys
Microsoft and Adobe Patch Tuesday, February 2024 Security Update Review | Qualys
blogs_qualys·2024-02-13
Microsoft and Adobe Patch Tuesday, February 2024 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for February 2024
- Adobe Patches for February 2024
- Zero-day Vulnerabilities Patched in February Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in February Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
The new Microsoft Patch Tuesday Edition for February 2024 is now live! We invite you to join us to review and discuss the details of these security updates and patches.
## Microsoft Patch Tuesday for February 2024
Microsoft Patch
Qualys
Microsoft and Adobe Patch Tuesday, February 2024 Security Update Review
blogs_qualys·2024-02-13
Microsoft and Adobe Patch Tuesday, February 2024 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for February 2024
Adobe Patches for February 2024
Zero-day Vulnerabilities Patched in February Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in February Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Monthly Webinar Series
The new Microsoft Patch Tuesday Edition for February 2024 is now live! We invite you to join us to review and discuss the details of these security updates and patches.
## Microsoft Patch Tuesday for February 2024
Microsoft Patch Tuesday’s Fe
Krebs
Fat Patch Tuesday, February 2024 Edition
blogs_krebs·2024-02-13·CVSS 5.4
CVE-2024-21412 [MEDIUM] Fat Patch Tuesday, February 2024 Edition
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “Water Hydra,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi)
Krebs
Fat Patch Tuesday, February 2024 Edition
blogs_krebs·2024-02-13·CVSS 5.4
CVE-2024-21412 [MEDIUM] Fat Patch Tuesday, February 2024 Edition
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412 , a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “ Water Hydra ,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.m
Trendmicro
The February 2024 Security Update Review
blogs_trendmicro·2024-02-12·CVSS 7.5
[HIGH] The February 2024 Security Update Review
## The February 2024 Security Update Review
Get the Feburary 2024 security update and review.
By: Dustin Childs 2024/02/12 Read time: ( words)
Save to Folio
It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:
If you’d rather watch the full video recap covering the entire release, you can check out here:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2024-21412
Internet Shortcut Files Security Feature Bypass Vulnerability
Important
8.
Trendmicro
The February 2024 Security Update Review
blogs_trendmicro·2024-02-12
The February 2024 Security Update Review
# The February 2024 Security Update Review
Get the Feburary 2024 security update and review.
By: Dustin Childs
2024/02/12
Read time: ( words)
Save to Folio
It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:
If you’d rather watch the full video recap covering the entire release, you can check out here:
Adobe Patches for February 2024
For February, Adobe released six patches addressing 29 CVEs in Adobe Acrobat and Reader, Commerce, Substance 3D
Trendmicro
The February 2024 Security Update Review
blogs_trendmicro·2024-02-12·CVSS 7.5
[HIGH] The February 2024 Security Update Review
## The February 2024 Security Update Review
Get the Feburary 2024 security update and review.
By: Dustin Childs Feb 12, 2024 Read time: ( words)
Save to Folio
It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:
If you’d rather watch the full video recap covering the entire release, you can check out here:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2024-21412
Internet Shortcut Files Security Feature Bypass Vulnerability
Important
Trendmicro
The February 2024 Security Update Review
blogs_trendmicro·2024-02-12·CVSS 7.5
[HIGH] The February 2024 Security Update Review
## The February 2024 Security Update Review
Get the February 2024 security update and review.
By: Dustin Childs Feb 12, 2024 Read time: ( words)
Save to Folio
It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:
If you’d rather watch the full video recap covering the entire release, you can check out here:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2024-21412
Internet Shortcut Files Security Feature Bypass Vulnerability
Important
Huntress
CVE-2024-21410 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 9.8
CVE-2024-21410 [CRITICAL] CVE-2024-21410 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2024-21410 Vulnerability
Published: 12/05/2025
Written by: Lizzie Danieslon
## What is CVE-2024-21410 Vulnerability?
CVE-2024-21410 is a critical remote code execution (RCE) vulnerability that affects versions of Microsoft Exchange. It allows threat actors to execute arbitrary code by exploiting improper input validation on server-side functions. This vulnerability can compromise data confidentiality, system integrity, and availability, making it a high-risk target for attackers. It is tracked under CVE-2024-21410 in the National Vulnerability Database.
## When was it discovered?
CVE-2024-21410 was first disclosed on October 10, 2023. Public disclosure followed after a 90-day coordinated vulnerability disclosure period.
## Affected Products & Versions
Product
Versions Affec
Crowdstrike
February 2024 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] February 2024 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2024-02-13
Published
2024-02-15
Added to CISA KEV
Exploited in the wild