**Critical Zero-Day Exploit in Progress: Microsoft Confirms Active Attacks on Exchange Servers**
Microsoft has disclosed an actively exploited zero-day vulnerability in on-premises Exchange Server 2013, 2016, and 2019, tracked as CVE-2024-21410 (CVSS score: 9.8). The flaw, a privilege escalation vulnerability in the Exchange Server’s Outlook Web Access (OWA) component, allows attackers to escalate privileges to Domain Administrator level after gaining initial access—typically through stolen credentials or phishing.
The attacks were first detected in early January 2024 by security researchers at Trend Micro’s Zero Day Initiative (ZDI), who observed threat actors leveraging the exploit in targeted campaigns. Microsoft confirmed the vulnerability on February 13, 2024, warning that unpatched systems are at high risk of compromise. While no specific threat group has been attributed, the sophistication of the attacks suggests involvement by state-sponsored or advanced persistent threat (APT) actors.
The exploit chain begins with authenticated access to an Exchange server, followed by manipulation of the OWA backend to execute arbitrary code with elevated privileges. Successful exploitation grants attackers full control over the Active Directory domain, enabling data theft, lateral movement, and deployment of ransomware or espionage tools. Microsoft has noted that cloud-based Exchange Online customers are not affected, as the vulnerability resides in the on-premises architecture.
A security update (KB5035606) was released on February 13, 2024, as part of Microsoft’s Patch Tuesday cycle, addressing the flaw. Organizations running affected versions are urged to apply the fix immediately, as proof-of-concept (PoC) exploit code has already surfaced in underground forums. Additionally, Microsoft recommends enabling Extended Protection for Authentication (EPA) and disabling OWA if not in use as temporary mitigations.
The incident underscores the growing targeting of Exchange servers, which remain a prime vector for cyberattacks due to their integration with enterprise authentication systems. Previous high-profile Exchange vulnerabilities, such as ProxyLogon (2021) and ProxyShell (2021), led to widespread breaches, and this latest flaw follows a similar pattern of rapid weaponization by threat actors. Security teams are advised to monitor for unusual OWA logins, privilege escalation attempts, and domain controller activity as indicators of compromise.
MGM Resorts Event Productions cybersecurity rating report: https://www.rankiteo.com/company/mgm-resorts-events
"id": "MGM1765260865",
"linkid": "mgm-resorts-events",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': None,
'industry': None,
'location': None,
'name': None,
'size': None,
'type': None}],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': None,
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None}}