A critical Exchange vulnerability could leak your credentials to hackers

Check if your Exchange server leaked any credentials!

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Microsoft Exchange CVE-2024-21410 was exploited

Microsoft acknowledged that a long known CVE (CVE-2024-21410) in Microsoft Exchange was exploited by taking advantage of an elevation of privilege vulnerability.

According to the Redmond giant, an attacker can take advantage of this vulnerability to get the credentials from Exchange clients such as Outlook, and then access the Exchange server using the victim’s data:

An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. 

Microsoft issued a patch and fixed the vulnerability

Microsoft issued the Exchange Server 2019 Cumulative Update 14 (CU14) to patch this vulnerability. The update enabled the NTLM credentials Relay Protections (also known as Extended Protection for Authentication or EPA).

The Exchange Server 2019 CU14 enables EPA by default on Exchange servers and Microsoft recommends installing it ASAP to secure your clients and servers.

Also, if you’re running the Microsoft Exchange Server 2016 Cumulative Update 23, the company released Extended Protection as an optional feature with the August 2022 security update (build 15.01.2507.012) to protect your server against CVE-2024-21410.

So, if you didn’t do that until now, install the latest security update for Exchange Server 2016 CU23 before turning on the Extended Protection feature.

Microsoft says that if you already ran the script that enables NTLM credentials Relay Protections on Exchange Server 2019 CU13 or earlier, you were protected from this vulnerability.

If you want to know if your server is configured properly, the company recommends running the latest version of the Exchange Server Health Checker script that will provide an overview of the Extended Protection status.

Although Microsoft acknowledged that CVE-2024-21410 was exploited, they don’t supply any information on the extent of the damage caused by this vulnerability.

Did you already patch your Microsoft Exchange server? Comment below if you had any problems with the update or the vulnerability.

More about the topics: Cybersecurity, Microsoft Exchange

User forum

0 messages