Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.

Exchange CVE-2024-21410 2013/2016/2019 Extended Protection Kemp-F5 and Modern Hybrid Mode problem

Primary target which is part of the attack: Make sure you ROLLOUT the Outlook.exe 02/2024 Patch. That is the most important thing. Esp. On Home Office/Remote Office which may have SMB/445 to WAN open and for VPN users NO traffic to/via VPN-2-HQ policy (Which is not good in this case)

Microsoft Office 2016 (32-bit edition)    5002537    Security Update    16.0.5435.1001

Microsoft Office 2016 (32-bit edition)    5002467    Security Update    16.0.5435.1001

Microsoft Office 2016 (32-bit edition)    5002522    Security Update    16.0.5435.1001

Microsoft Office 2016 (32-bit edition)    5002469    Security Update    16.0.5435.1001

Microsoft Office 2016 (32-bit edition)    5002519    Security Update    16.0.5435.1001

For the current Exchange NTLM Leaks CVE-2024-21410

For older Leaks: CVE-2022-24516,CVE-2022-21979,CVE-2022-21980,CVE-2022-24477,CVE-2022-30134



Warning built in now:

Enabling Extended Protection

Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work when Extended Protection is enabled.

– SSL offloading or SSL termination via Layer 7 load balancing.

– Exchange Hybrid Features if using Modern Hybrid.

– Access to Public folders on Exchange 2013 Servers.

You can find more information on: Do you want to proceed?


Warning Load Balancer:

Warning MODERN Hybrid Mode (The Hybrid setups with HYBRID-Agents MSI)

  • Exchange Modern Hybrid Topology: Enabling Extended Protection in “Exchange Modern Hybrid Topology” is NOT supported. If you run in “Modern Mode” you are using an “Hybrid Agent” (A MSI Agent you had installed). See below to find out if you have “CLASSIC” or “Modern Hybrid” activated in your Hybrid enviroment.


In HCW Hybrid Wizard GUI:


Attention Hybrid Environment Administrators:




If your organization relies on a hybrid Exchange environment, heed this crucial information regarding Extended Protection and Modern Hybrid configuration:



Enabling Extended Protection on hybrid servers configured with Modern Hybrid settings poses a severe risk to operational stability.



Incompatibility exists between Extended Protection and Modern Hybrid configuration. Attempting to enable Extended Protection on servers operating under Modern Hybrid settings will result in catastrophic disruptions, jeopardizing essential functions like mailbox migrations and Free/Busy functionalities.


Action Required:

Take immediate action to safeguard your hybrid environment:


Identify all Hybrid Servers published via the Hybrid Agent.


DO NOT enable Extended Protection on these identified servers to avoid operational disruptions.

Failure to comply with these directives may lead to significant service interruptions and operational downtime.


This warning is of utmost importance for maintaining the integrity and functionality of your hybrid Exchange environment.


Here is a screenshot where you see the “Modern Hybrid” which will NOT work with Extended Protection



Hybrid Configuration wizard >HCW/Hybrid Mode on-premises<>M365/EXO/Cloud customers: Re-check what you have active by GUI:


Relevant/Important SCREEN where you choose “CLASSIC” or “MODERN”.

Notice that with the “Modern Hybrid Topology” you had to install an “HYBRID AGENT” for Free Busy and Mailbox Migration. If you DO NOT have that AGENT installed you did choose CLASSI Mode the time you setup the HCW.




Trick to identify if you are in CLASSIC or MODERN Hybrid MODE or IF you EVEN are in “Hybrid Mode or not!”

  • The Modern Hybrid Mode uses Agents (Not the HCW Hybrid Configration Wizard tool). After you did RUN the HCW and choosed the HYBRID Mode > Then if you choosed MODERN Hybrid MODE > After that you had to Deploy/Install some Agent via the HCW or with MSI package.

  • You maybe installed additional “HYBRID AGENT” like with “Msiexec /i MSHybridService.msi”.

    If you NEVER done BOTH that THEN to 99% your are in CLASSIC Hybrid Mode and you can activate EP (If you checked any other points).


Check “Hybrid-Agent” with PowerShell:

Import-module .\HybridManagement.psm1

After that you can run the following command to view Agent status:

Get-HybridAgent -Credential (Get-Credential)


Trick to identify if you are in CLASSIC or MODERN Hybrid MODE or IF you EVEN are in “Hybrid Mode or not!”

M365/EXO side:

Connect-ExchangeOnline -UserPrincipalName <YourAdminAccount> -ShowProgress $true

Get-HybridConfiguration | Select-Object -ExpandProperty ModernHybrid

On-premises on the Exchange 2013/2016/2019:

Get-HybridConfiguration | fl

C:\Windows\system32>Get-HybridConfiguration | fl

RunspaceId : **************************
ClientAccessServers : {}
EdgeTransportServers : {}
ReceivingTransportServers : {server names}
SendingTransportServers : {server names}
OnPremisesSmartHost : host name
Domains : {domain names}
Features : {FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive,
SecureMail, Photos}

If nothing appear and you have the permission THEN you are NOT in ANY on-premises <> M365/EXCO/Cloud Mode

Above: That customer has NO Hybrid Mode

IF under FEATURES: You see “Mailtips”, “MessageTracking” you are in CLASSIC MODE

IF under FEATURES: You see “Mailtips”, “MessageTracking” you are in CLASSIC MODE



Technical Scenario Overview:

Microsoft’s February 14, 2024 advisory updates detail critical vulnerabilities in Microsoft Exchange Server (CVE-2024-21410) and Outlook (CVE-2024-21413), both rated 9.8 on the CVSS scale. These vulnerabilities allow attackers to exploit NTLM relay weaknesses, gaining unauthorized access and potentially executing code.


Exchange Server Vulnerability (CVE-2024-21410):

The CVE-2024-21410 vulnerability, addressed in the February Patch Tuesday, facilitates unauthorized access to Exchange Servers. Exploiting this flaw, attackers can use stolen Net-NTLMv2 hash values to authenticate and execute actions with the victim’s permissions. Notably, this vulnerability carries a CVSS score of 9.8, signifying its critical severity.


Mitigation Measures:

To address these vulnerabilities, IT security personnel should prioritize implementing Extended Protection (EP) features. Exchange Server 2019 CU14 includes EP as a default security measure. For older versions, manual activation of EP is necessary. Microsoft introduced EP as an optional feature in Exchange Server 2013 (End of Support), 2016, and 2019.

Please plan this carefully if you have KEMP/F5 Load Balancers or you have a HYBRID Setup.


Configuration and Verification:

Configuration guidelines and prerequisites for EP activation are available in Microsoft’s documentation. The “ExchangeExtendedProtectionManagement.ps1” script facilitates pre-activation configuration checks to prevent post-activation issues. Additionally, the HealthChecker Tool aids in verifying EP activation status on Exchange Servers.


Patch Application:

While Microsoft assesses the likelihood of exploitation for CVE-2024-21413 as low, prompt patching is recommended. Applying Cumulative Update 14 for Exchange Server 2019 (KB5035606) and reviewing additional security advisories from the recent Patch Tuesday are crucial steps in maintaining system integrity and security.


Links used for research:



Exchange Release and Build numbers:


CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability


Configure Windows Extended Protection in Exchange Server


ExchangeExtendedProtectionManagement Tool

Powershell: ExchangeExtendedProtectionManagement.ps1


Cumulative Update 14 for Exchange Server 2019 (KB5035606)


HealthChecker Tool


CVE-2024-21413 – Microsoft Outlook Remote Code Execution Vulnerability


Fromt KEMP itself:

Extended Protection enabled in Exchange Server (KB5017260):,be%20supported%20on%20servers%20that%20run%20Exchange%20Server

Exchange Server Support for Windows Extended Protection:


  • The Master LINK for EP Extended Protection done by MS after the phone lines where busy….

Yes it works for Apple Macintosh MAC now because they did not lock it down fully. We wait for an exploit on MAC with Exchange now right? It is just the OAB Offline Adressbook where all the confindential data Like Phone Number and private numbers are in….



 Category published:  Exchange 2013 Exchange 2016 Exchange 2019 M365 - Exchange Online Microsoft Exchange Server 2022 [21H2/22H2/32H2]   Click on the Category button to get more articles regarding that product.