Alert essentials:
Previous Exchange zero-day is under active exploitation.
Deploy patches immediately!
Detailed threat description:
Yesterday, an exploited spoofing vulnerability in Exchange Server received a patch. CVE-2024-49040 is caused by the current P2 FROM header verification implementation used in email transport.
This vulnerability allows specific non-compliant headers to bypass checks, potentially leading the email client to display a malicious actor as a legitimate user.
Once the update is applied, the Exchange Server will detect and flag email messages that contain potentially harmful patterns in the P2 FROM header. Therefore, it is crucial to apply the patch as soon as possible.
Impacts on healthcare organizations:
This attack vector poses a risk for healthcare organizations, which rely on secure email systems to handle sensitive patient data and operational coordination.
Exploiting this vulnerability could allow attackers to impersonate trusted entities, leading to unauthorized access to medical records, interference with patient care communications, or even phishing attacks that could compromise additional systems.
Affected Products / Versions:
Only servers with Microsoft Exchange Server installed are vulnerable.
CVE
CVE-2024-49040
KBs
KB5044062
Recommendations
Engineering recommendations:
- Apply missing patches to impacted systems
- Review email filtering rules and alert settings to ensure they capture spoofing attempts
- Regular monitoring of Exchange server logs for abnormal activity is advised to detect potential exploitations
Leadership/ Program recommendations:
- Keep CVE-2024-49040 protection on to block phishing attacks exploiting non-compliant email headers per Microsoft’s recommendation
- Review CISA’s Top Routinely Exploited Vulnerabilities list
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Microsoft patches for Spoofing Vulnerability CVE-2024-49040: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49040
- Microsoft Exchange Server non-RFC compliant P2 FROM header detection for Exchange server 2019: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-non-compliant-p2from-detection?view=exchserver-2019
- November 2024 Exchange Server Security Updates: Released: November 2024 Exchange Server Security Updates | Microsoft Community Hub
- Security update for Microsoft Exchange Server 2019 and 2016: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-november-12-2024-kb5044062-a76c849c-b096-4e0c-a267-bf43964d679a
- CISA 2023 Top Routinely Exploited Vulnerabilities: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a
- All Exchange vulnerabilities at CVEdeatils.com: https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-194/Microsoft-Exchange-Server.html
