Some 28,500 Microsoft Exchange servers are exposed to hacker attacks leveraging a recently disclosed zero-day vulnerability affecting MS Exchange Server, new stats from a nonprofit security organization ShadowServer show.

The zero-day flaw in question (CVE-2024-21410) is a privilege escalation issue in Microsoft Exchange Server that can be exploited by a remote attacker to target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.

The flaw affects Microsoft Exchange Server versions 2016 CU22 Nov22SU 15.01.2375.037 through 2019 RTM Mar21SU 15.02.0221.018. At the time of the public disclosure, Microsoft didn’t share any additional information regarding the nature of the vulnerability’s exploitation.

In addition, ShadowServer says it has identified 68,500 Exchange instances possibly vulnerable to CVE-2024-21410.

The majority of vulnerable instances were observed in Germany (25,695), followed by the US (21,997), and the UK (4,130).

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21410 to its Known Exploited Vulnerabilities Catalog. Currently, there's no publicly available proof-of-concept (PoC) exploit for this flaw.