Critical Zero-Day Exploit in Progress: Microsoft Confirms Active Attacks on Exchange Servers
Microsoft has issued an urgent security alert after confirming active exploitation of a zero-day vulnerability in on-premises Exchange Server 2013, 2016, and 2019. Tracked as CVE-2024-21410, the flaw allows attackers to escalate privileges and execute arbitrary code with SYSTEM-level access the highest level of permissions on Windows systems.
The vulnerability stems from an improper handling of NTLM (New Technology LAN Manager) relay attacks, enabling threat actors to bypass authentication and gain unauthorized control over vulnerable servers. Microsoft’s Threat Intelligence team reports that a state-sponsored threat group, identified as APT29 (aka "Cozy Bear"), has been leveraging the exploit in targeted attacks since at least January 2024. The group, linked to Russia’s SVR intelligence agency, has historically targeted government, diplomatic, and critical infrastructure entities.
The attacks have been observed in North America and Europe, with victims primarily in defense, energy, and IT sectors. While Microsoft has not disclosed the exact number of compromised organizations, the company warns that any unpatched Exchange Server exposed to the internet is at high risk. The flaw does not affect Exchange Online (Microsoft 365), as it operates in a separate, cloud-based environment.
Microsoft released an out-of-band security update (KB5034763) on February 13, 2024, urging administrators to apply the patch immediately. For organizations unable to patch immediately, Microsoft recommends disabling NTLM authentication and enforcing Extended Protection for Authentication (EPA) as temporary mitigations. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-21410 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by February 27, 2024.
The incident underscores the growing sophistication of state-backed cyber espionage, with APT29 leveraging zero-days to maintain persistence in high-value networks. Security researchers note that the exploit’s low complexity and high impact make it an attractive tool for both advanced and opportunistic attackers. Organizations running on-premises Exchange are advised to review logs for signs of compromise, including unexpected NTLM authentication attempts or unauthorized mailbox access.
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "MIC1776941332",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Defense', 'Energy', 'IT'],
'location': ['North America', 'Europe'],
'name': 'Microsoft Exchange Server Customers',
'type': 'Organizations'}],
'attack_vector': 'NTLM Relay Attack',
'customer_advisories': 'Microsoft urges all on-premises Exchange Server '
'administrators to apply the patch immediately and '
'review logs for signs of compromise.',
'data_breach': {'data_exfiltration': 'Potential',
'personally_identifiable_information': 'Potential',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Mailbox data', 'Potential PII']},
'date_detected': '2024-01-01',
'date_publicly_disclosed': '2024-02-13',
'description': 'Microsoft has issued an urgent security alert after '
'confirming active exploitation of a zero-day vulnerability in '
'on-premises Exchange Server 2013, 2016, and 2019. Tracked as '
'CVE-2024-21410, the flaw allows attackers to escalate '
'privileges and execute arbitrary code with SYSTEM-level '
'access. The vulnerability stems from improper handling of '
'NTLM relay attacks, enabling threat actors to bypass '
'authentication and gain unauthorized control over vulnerable '
'servers.',
'impact': {'brand_reputation_impact': 'High (Microsoft security alert, CISA '
'KEV listing)',
'data_compromised': 'Unauthorized mailbox access, potential data '
'exfiltration',
'identity_theft_risk': 'High (potential PII exposure)',
'operational_impact': 'Unauthorized SYSTEM-level access, potential '
'network persistence',
'systems_affected': 'On-premises Exchange Server 2013, 2016, 2019'},
'initial_access_broker': {'backdoors_established': 'Potential (APT29 known '
'for persistence)',
'high_value_targets': ['Government',
'Diplomatic',
'Critical Infrastructure']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident underscores the growing sophistication of '
'state-backed cyber espionage and the risks of unpatched '
'on-premises systems. Organizations must prioritize patch '
'management and monitor for unusual authentication '
'activity.',
'motivation': 'Cyber Espionage',
'post_incident_analysis': {'corrective_actions': ['Patch management '
'prioritization',
'NTLM authentication '
'hardening',
'Enhanced monitoring for '
'authentication anomalies'],
'root_causes': 'Improper handling of NTLM relay '
'attacks in Exchange Server, '
'enabling privilege escalation and '
'SYSTEM-level access'},
'recommendations': ['Apply the out-of-band security update (KB5034763) '
'immediately',
'Disable NTLM authentication if patching is not '
'immediately possible',
'Enforce Extended Protection for Authentication (EPA)',
'Review logs for signs of compromise (unexpected NTLM '
'authentication attempts, unauthorized mailbox access)',
'Monitor for persistence mechanisms in high-value '
'networks'],
'references': [{'date_accessed': '2024-02-13',
'source': 'Microsoft Security Alert'},
{'date_accessed': '2024-02-13',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Known Exploited '
'Vulnerabilities (KEV) '
'catalog']},
'response': {'communication_strategy': 'Urgent security alert, CISA KEV '
'catalog addition',
'containment_measures': ['Disabling NTLM authentication',
'Enforcing Extended Protection for '
'Authentication (EPA)'],
'enhanced_monitoring': ['Review logs for unexpected NTLM '
'authentication attempts'],
'remediation_measures': ['Out-of-band security update '
'(KB5034763)']},
'stakeholder_advisories': 'Federal agencies mandated to patch by February 27, '
'2024 (CISA KEV). Organizations in defense, energy, '
'and IT sectors advised to prioritize remediation.',
'threat_actor': 'APT29 (Cozy Bear)',
'title': 'Critical Zero-Day Exploit in Progress: Microsoft Confirms Active '
'Attacks on Exchange Servers',
'type': 'Zero-Day Exploit',
'vulnerability_exploited': 'CVE-2024-21410'}