Exchange admins are scurrying again to patch their servers after Microsoft confirmed two new zero-day exploits which are already being used to breach networks in the wild.
“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft said.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”
The flaws are present in Exchange Server 2013, 2016, and 2019 but fortunately require an authenticated user to exploit.
With an authenticated account however, CVE-2022-41040 allows successful entry which then enables hackers to trigger the CVE-2022-41082 remote code exploit.
Fortunately, users of Exchange Online are already protected while Microsoft recommends mitigations released by Vietnamese cybersecurity outfit GTSC, who was the first to post about the exploits, for on-prem users.
“On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports,” Microsoft added.
“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”
Find the latest guidance at Microsoft here.