CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability
Overview
- Severity
- High (CVSS 7.5)
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
- Category
- Spoofing
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- More Likely
- Publicly Disclosed
- Yes
- Patch Tuesday
- 2024-Nov
- Released
- 2024-11-12
- Last Updated
- 2024-11-27
- EPSS Score
- 5.69% (percentile: 90.4%)
FAQ
Is there additional information I need to know about or actions to perform after installing the update?
Yes. Please see the information available in Exchange Server non-RFC compliant P2 FROM header detection.
Why are the Exchange Server updates no longer available on the download center?
Microsoft has temporarily paused the rollout of this update. Please see the known issues section of the Exchange Server blog post.
We are working on addressing this issue and we'll update this CVE when it is resolved.
11/27/2024 Update: The known issue has been addressed and the update is now re-released.
Affected Products (3)
Server Software
- Microsoft Exchange Server 2019 Cumulative Update 13
- Microsoft Exchange Server 2019 Cumulative Update 14
- Microsoft Exchange Server 2016 Cumulative Update 23
Security Updates (3)
Acknowledgments
<a href="https://x.com/slonser_">Slonser</a> with <a href="https://solidlab.ru/">Solidlab</a>
Revision History
- 2024-11-12: Information published.
- 2024-11-14: Added an FAQ to indicated that we have temporarily paused the rollout of this update. Please see the Exchange Server Blog entry for more information.
- 2024-11-27: Microsoft has addressed the known issue in the November 12, 2024 security update. We strongly recommend installing the new security update identified by KB5049233. Please see the Exchange Server blog post for more information.