Security News > 2024 > February > Microsoft: New critical Exchange bug exploited as zero-day
Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month's Patch Tuesday.
"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."
Microsoft announced today that Extended Protection will be automatically enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update.
Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016.
CISA: Critical Microsoft SharePoint bug now actively exploited.
New critical Microsoft Outlook RCE bug is trivial to exploit.
News URL
Related news
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)