Microsoft Exchange Server Elevation of Privilege Vulnerability
The vulnerability results from improper identity verification (CWE-287 — Improper Authentication) in Microsoft Exchange Server. An attacker without any privileges can bypass authentication mechanisms over the network without user interaction and gain elevated privileges on the server. The network attack vector with low complexity (AC:L) and no prerequisites (PR:N, UI:N) allow the attack to be conducted automatically at scale.
An attacker can achieve high confidentiality, integrity, and availability of the system — which in practice means potential takeover of a Microsoft Exchange Server instance, access to user email, and the ability for further lateral movement within the organization's network.
Apply patches available from the vendor immediately in accordance with Microsoft Security Response Center (MSRC) references (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410). Due to active exploitation of the vulnerability in production environments, the update should be treated as urgent and deployed outside the standard maintenance window.
Microsoft Exchange Server — specific versions indicated in vendor references (Microsoft Security Response Center)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Exchange Server
APPMicrosoft20162019
CISA KEV — detailsi
- Vendori
- Microsoft ↗
- Producti
- Exchange Server
- Added to KEVi
- February 15, 2024
- Remediation deadline (US Federal)i
- March 7, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
Related vulnerabilities
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability