CVE-2024-21410
Microsoft Exchange Server Elevation of Privilege Vulnerability
Vexday Risk Score
83Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 12.7%KEV simPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
13 Feb 2024Published on NVD
15 Feb 2024Active exploitation (CISA KEV)
27 Mar 2026Public PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
A critical flaw in Microsoft Exchange Server allows an authenticated user to gain system administrator privileges without proper authorization. This vulnerability enables attackers who have basic access to take complete control of the email server.
Technical detail
An authentication bypass vulnerability (CWE-287) in Microsoft Exchange Server permits privilege escalation from authenticated user to SYSTEM level. The attack requires valid user credentials but no additional exploitation; successful exploitation grants complete administrative control over the Exchange environment.
Summary generated and translated by AI from the official description.
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Affected products
Microsoft · Microsoft Exchange Server 2016 Cumulative Update 23Microsoft · Microsoft Exchange Server 2019 Cumulative Update 13Microsoft · Microsoft Exchange Server 2019 Cumulative Update 14public PoCs found — 1
githubgithub.com/Piyush20004/SentinelStream-AI★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →