Over 28,500 Exchange servers vulnerable to actively exploited bug

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting.

Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable.

Exchange Server is widely used in business environments to facilitate communication and collaboration among users, providing email, calendar, contact management, and task management services.

The security issue allows remote unauthenticated actors to perform NTLM relay attacks on Microsoft Exchange Servers and escalate their privileges on the system.

Today, threat monitoring service Shadowserver announced that its scanners have identified approximately 97,000 potentially vulnerable servers.

Out of the total 97,000, the vulnerable state for an estimated 68,500 servers depends on whether administrators applied mitigations, while 28,500 are confirmed to be vulnerable to CVE-2024-21410.

The most impacted countries are Germany (22,903 instances), the United States (19,434), the United Kingdom (3,665), France (3,074), Austria (2,987), Russia (2,771), Canada (2,554), and Switzerland (2,119).

Currently, there's no publicly available proof-of-concept (PoC) exploit for CVE-2024-21410, which somewhat limits the number of attackers using the flaw in attacks.

To address CVE-2024-21410, system admins are recommended to apply the Exchange Server 2019 Cumulative Update 14 (CU14) update released during the February 2024 Patch Tuesday, which enables NTLM credentials Relay Protections.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has also added CVE-2024-21410 to its 'Known Exploited Vulnerabilities' catalog, giving federal agencies until March 7, 2024, to apply the available updates/mitigations or stop using the product.

Exploitation of CVE-2024-21410 can have serious consequences for an organization because attackers with elevated permissions an Exchange Server can access confidential data like email communication and use the server as a ramp for further attacks on the network.