The cybersecurity landscape has witnessed a significant escalation with the disclosure of a zero-day vulnerability impacting Microsoft Exchange servers. As per the latest report from The Shadowserver Foundation, a non-profit cybersecurity organization, an alarming number of over 28,000 internet-accessible Microsoft Exchange servers are currently at risk.
This situation is further exacerbated by an additional 68,000 Exchange instances that are deemed 'possibly vulnerable.' These servers have implemented certain mitigations, yet the risk of exploitation remains. In total, we're looking at approximately 97,000 servers with potential vulnerabilities.
The root of this issue lies in a privilege escalation flaw, designated as CVE-2024-21410. This flaw, which carries a severe CVSS score of 9.8, enables pass-the-hash attacks. In such attacks, an intruder can relay a user's Net-NTLMv2 hash against a vulnerable server, thereby authenticating as that user.
This vulnerability is particularly concerning because Exchange Server 2019 lacked NTLM credential relay protection, also known as Extended Protection for Authentication (EPA), as a default setting. This oversight has left numerous servers exposed to potential cyberattacks.
On February 13th, in response to this growing threat, Microsoft released patches for 72 vulnerabilities, including CVE-2024-21410. The company strongly urged customers to update their systems to Exchange Server 2019 Cumulative Update 14 (CU14). The urgency of this situation was further underlined when, just a day later, Microsoft updated its advisory, flagging this security defect as actively exploited. The US cybersecurity agency CISA was quick to respond, adding the bug to its Known Exploited Vulnerabilities Catalog.
Interestingly, specific details about the attacks exploiting this vulnerability are not yet available. However, the potential impact cannot be underestimated.
Shadowserver's recent announcement revealed an ongoing effort to track Exchange instances vulnerable to CVE-2024-21410. As of February 17, their findings indicated roughly 97,000 servers that are vulnerable or possibly vulnerable. According to their data, servers running version 15.2.1118.12 or earlier are considered vulnerable. Conversely, later versions may have some level of mitigation in place.
Geographically, the distribution of potentially vulnerable Exchange servers is skewed, with the highest concentrations in Germany (25,000), the United States (22,000), and the United Kingdom (4,000). However, it's crucial to note that these figures may not accurately represent the actual number of instances. Shadowserver's methodology involved summing counts of unique IP addresses, which could lead to some IPs being counted more than once. Furthermore, distinguishing between real instances and honeypots remains a challenge.
The active exploitation of CVE-2024-21410 necessitates immediate action from organizations. The first step is identifying potentially affected systems, followed by the swift application of available mitigations and patches.