Security News > 2024 > February > Microsoft: New critical Exchange bug exploited as zero-day
Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month's Patch Tuesday.
"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."
Microsoft announced today that Extended Protection will be automatically enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update.
Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016.
CISA: Critical Microsoft SharePoint bug now actively exploited.
New critical Microsoft Outlook RCE bug is trivial to exploit.
News URL
Related news
- Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday' (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft fixes exploited zero-day (CVE-2024-49138) (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Critical zero-days impact premium WordPress real estate plugins (source)
- SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix (source)