Event Summary
Two Zero-Day vulnerabilities (previously undisclosed but now linked to CVE-2022-41040 & CVE-2022-41082) are currently exploited by attackers to get Authorized RCE access on Microsoft Exchange Servers (2013, 2016 and 2019)
Details
| Product Affected | Vulnerable Version | CVE-CVSS Associated | Risk / Details for vulnerability | Recommendations |
| MS Exchange Server | 2013 – 2016 – 2019 | CVE-2022-41040
CVE-2022-41082
|
Authenticated server-side request forgery vulnerability in Microsoft Exchange Servers (2022-41040) with a CVSSv3 score of 6.6 and authenticated remote code execution vulnerability (2022-41082) assigned a CVSSv3 score of 8.8 | The current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns. Exchange Server customers should review and choose only one of the following three mitigation options. |
SOD Actions
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. At this time, SOD recommends applying vendor recommendations and actions immediately.
SOD Threat Recon Unit will also keep track of any exploitation tool or PoC (Proof of Concept) that could leverage the usage of those vulnerabilities to exploit systems actively. Information about new IoCs and IoAs will be included proactively as part of the monitoring mechanism included on Threat Watch on their multiple service tiers.
Please contact your Security On-Demand Customer Success Manager if you have any questions about this alert.
Resources
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ – Microsoft Advisory
Vulnerabilities reported:
- https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
