Microsoft has updated its security advisory on a recently patched MS Exchange security vulnerability to say that the flaw is under active exploitation.

The vulnerability (CVE-2024-21410) is a privilege escalation issue in Microsoft Exchange Server that can be exploited by a remote attacker to target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.

The flaw affects Microsoft Exchange Server versions 2016 CU22 Nov22SU 15.01.2375.037 through 2019 RTM Mar21SU 15.02.0221.018.

The tech giant didn’t provide any details regarding the nature of the exploitation or what threat actor was behind the attacks.

As part of its February 2024 Patch Tuesday released this week, Microsoft addressed two additional zero-day vulnerabilities CVE-2024-21351 and CVE-2024-21412. Both flaws have been described as a Windows SmartScreen security feature bypass issue that could be exploited for running malicious files on the system or remote code execution.

According to Trend Micro, CVE-2024-21412 has been exploited as part of a sophisticated zero-day attack chain by a threat actor tracked as Water Hydra (aka DarkCasino) that targeted financial market traders. The attackers leveraged the zero-day flaw to deploy the DarkMe malware.