A critical vulnerability, CVE-2024-21410, has been identified in Microsoft Exchange Server, allowing remote unauthenticated attackers to exploit NTLM relay attacks and escalate privileges on vulnerable systems. Despite patches being available, over 28,500 Exchange servers remain exposed, leaving organizations at risk of cyberattacks.
The CVE-2024-21410 vulnerability enables attackers to authenticate a network device against an NTLM relay server they control, allowing them to impersonate targeted devices and elevate privileges. Microsoft has addressed this flaw in the Exchange Server 2019 Cumulative Update 14 (CU14), implementing NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA).
Shadow Server reports indicate that approximately 97,000 servers worldwide remain exposed to this vulnerability, potentially putting sensitive information at risk of compromise.
Microsoft has provided mitigation strategies to safeguard against this threat. The primary mitigation involves enabling Extended Protection (EP) on Exchange servers, which enhances Windows Server authentication functionality to mitigate relay and man-in-the-middle (MitM) attacks.
EP will be automatically enabled on all Exchange servers after installing the 2024 H1 Cumulative Update (CU14). For earlier versions, such as Exchange Server 2016, administrators can activate EP using the ExchangeExtendedProtectionManagement PowerShell script provided by Microsoft.
It is crucial for organizations to promptly apply these mitigations to protect their systems against potential attacks exploiting this critical vulnerability.
