12:00pm, 19 February 2024
TLP Rating:
CVEs affecting Microsoft products
The NCSC would like to draw your attention to two critical zero-day vulnerabilities affecting Microsoft products:
- CVE-2024-21410 External Link affecting Exchange Server External Link
- CVE-2024-21413 External Link affecting Outlook
CVE-2024-21410 External Link affecting Microsoft Exchange Server has a CVSS of 9.8 and can allow unauthenticated attackers to achieve privilege escalation by accessing user credentials that can be relayed to impersonate legitimate users against exchange servers. The NCSC is aware of open-source reporting of active exploitation as well as a public proof of concept.
CVE-2024-21413 External Link affecting Microsoft Outlook has a CVSS of 9.8 and can allow an unauthenticated attacker to achieve remote code execution to bypass the protected view settings of Office documents so that users open links sent within emails in editing mode. Malicious actors are likely to attempt exploitation with phishing emails containing Office documents, and it is recommended that organisations remind staff to stay vigilant of suspicious activity. The NCSC is not currently aware of open-source reporting of active exploitation, but a public proof of concept exists.
The NCSC encourages organisations in New Zealand that use the affected products to review the related security advisories and apply the relevant patches and mitigations (if available) as soon as possible.
If your organisation has seen or does see evidence of compromise related to these CVEs, please contact incidents@ncsc.govt.nz.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.