Over 28,500 Microsoft Exchange Servers at Risk from Actively Exploited Security Flaw

A significant security concern has emerged with the discovery that nearly 97,000 Microsoft Exchange servers could be at risk due to a critical vulnerability identified as CVE-2024-21410. This flaw, which allows for privilege escalation, has been actively exploited by cybercriminals.

Microsoft responded to this threat on February 13, acknowledging its use as a zero-day exploit before then. To date, it's been determined that 28,500 servers remain susceptible to this vulnerability.

Exchange Server plays a crucial role in the corporate world, enabling seamless interaction and cooperation through its comprehensive suite of services including email, calendars, contact management, and task scheduling.

The vulnerability in question permits unauthorized external entities to conduct NTLM relay attacks against Microsoft Exchange Servers, thereby gaining elevated system privileges.

Shadowserver, a threat detection service, has recently revealed its findings of around 97,000 servers that could potentially be compromised.

According to Shadowserver's data, the vulnerability status of about 68,500 servers hinges on the application of specific mitigations by their administrators, leaving 28,500 definitively at risk to CVE-2024-21410.

The countries most affected include Germany, the United States, the United Kingdom, France, Austria, Russia, Canada, and Switzerland, with Germany leading in the number of instances.

Countries with the highest server exposure count (Shadowserver)

Although there is presently no publicly accessible exploit code for CVE-2024-21410, this fact may restrict the pool of attackers but does not eliminate the risk.

To mitigate this issue, administrators are urged to install the Cumulative Update 14 (CU14) for Exchange Server 2019, which was released as part of the February 2024 Patch Tuesday. This update introduces protections against NTLM credential relay attacks.

Furthermore, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has recognized the seriousness of CVE-2024-21410 by including it in its catalog of 'Known Exploited Vulnerabilities'. Federal agencies have been given a deadline of March 7, 2024, to either implement the necessary updates and mitigations or discontinue using the affected product.

The potential fallout from exploiting CVE-2024-21410 is considerable. Attackers gaining unauthorized administrative access to an Exchange Server could intercept sensitive information, including email communications, and leverage this access to conduct further attacks within the network.

Post a Comment