Security News > 2024 > February > Microsoft: New critical Exchange bug exploited as zero-day
Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month's Patch Tuesday.
"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."
Microsoft announced today that Extended Protection will be automatically enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update.
Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016.
CISA: Critical Microsoft SharePoint bug now actively exploited.
New critical Microsoft Outlook RCE bug is trivial to exploit.
News URL
Related news
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft launches Zero Day Quest hacking event with $4 million in rewards (source)
- Palo Alto Networks tackles firewall-busting zero-days with critical patches (source)