- Posted February 19, 2024
- Cyber Security Alerts
- Technical Advisories
The NCSC would like to draw your attention to two critical zero-day vulnerabilities affecting Microsoft products:
- CVE-2024-21410(external link) affecting Exchange Server
- CVE-2024-21413(external link) affecting Outlook
CVE-2024-21410(external link) affecting Microsoft Exchange Server has a CVSS of 9.8 and can allow unauthenticated attackers to achieve privilege escalation by accessing user credentials that can be relayed to impersonate legitimate users against exchange servers. The NCSC is aware of open-source reporting of active exploitation as well as a public proof of concept.
CVE-2024-21413(external link) affecting Microsoft Outlook has a CVSS of 9.8 and can allow an unauthenticated attacker to achieve remote code execution to bypass the protected view settings of Office documents so that users open links sent within emails in editing mode. Malicious actors are likely to attempt exploitation with phishing emails containing Office documents, and it is recommended that organisations remind staff to stay vigilant of suspicious activity. The NCSC is not currently aware of open-source reporting of active exploitation, but a public proof of concept exists.
The NCSC encourages organisations in New Zealand that use the affected products to review the related security advisories and apply the relevant patches and mitigations (if available) as soon as possible.
If your organisation has seen or does see evidence of compromise related to these CVEs, please contact incidents@ncsc.govt.nz.
For more NCSC NZ updates, follow us on LinkedIn(external link).
Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.