Where can I find more information about NTLM relay attacks? Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks. How could an attacker exploit this vulnerability? An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf. For more information about Exchange Server's support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user. Why is this CVE listed as being exploited? This CVE for Exchange Server 2019 Cumulative Update 14 enforces previous mitigations by default. We provided an optional mitigation for NTLM relay attacks in general in August 2022. These were documented in an Outlook CVE (CVE-2023-23397). Microsoft was aware of targeted NTLM relay attacks back in 2023; however, we are not aware of any current exploitation of NTLM relay attacks against Exchange Server. Microsoft strongly recommends installing CU14 on Exchange Server 2019 or enabling Extended Protection within your organization as per Configure Windows Extended Protection in Exchange Server. How do I protect myself from this vulnerability? Prio
Maturity: Exploit
Internally found by Microsoft