Security News > 2024 > February > Microsoft: New critical Exchange bug exploited as zero-day
Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month's Patch Tuesday.
"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."
Microsoft announced today that Extended Protection will be automatically enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update.
Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016.
CISA: Critical Microsoft SharePoint bug now actively exploited.
New critical Microsoft Outlook RCE bug is trivial to exploit.
News URL
Related news
- Microsoft: Exchange 2016 and 2019 reach end of support in six months (source)
- Microsoft fixes Exchange Online bug flagging Gmail emails as spam (source)
- US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks (source)
- Fortinet fixes critical zero-day exploited in FortiVoice attacks (source)
- Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws (source)
- Patch Tuesday: Microsoft fixes 5 actively exploited zero-days (source)
- Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server (source)
- Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own (source)