CVE-2024-21410

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVSS 9.8 CRITICALEPSS 12.7%● KEVCWE-287

In short

A critical flaw in Microsoft Exchange Server allows an authenticated user to gain system administrator privileges without proper authorization. This vulnerability enables attackers who have basic access to take complete control of the email server.

Technical detail

An authentication bypass vulnerability (CWE-287) in Microsoft Exchange Server permits privilege escalation from authenticated user to SYSTEM level. The attack requires valid user credentials but no additional exploitation; successful exploitation grants complete administrative control over the Exchange environment.

Summary generated and translated by AI from the official description.

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Affected products

Microsoft · Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft · Microsoft Exchange Server 2019 Cumulative Update 13 Microsoft · Microsoft Exchange Server 2019 Cumulative Update 14

public PoCs found — 1

githubgithub.com/Piyush20004/SentinelStream-AI★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21410