Zero-day Vulnerabilities in Microsoft Exchange

If you’re part of the Microsoft ecosystem and own an exchange server, you should read this post carefully. During a routine audit for our CYBERWALL.AI (WAF), we just patched a mix of dangerous vulnerabilities that affects Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. As of today, Microsoft is still under investigation for a fix.

*Exchange Online customers do not need to take any action.

The Vulnerabilities

The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. In the right conditions, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

The risks

The vulnerabilities allow attackers to create backdoors / RCE on the affected system and take over other servers in the same environment. This can be leveraged by malicious actors to exfiltrate information from your servers and perform lateral moves in your network.

The Solutions

All our customers using CYBERWALL.AI (WAF) are already protected by our virtual patches to protect against these vulnerabilities.

Microsoft exchange owners who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically.

Microsoft created the following tool for the URL Rewrite mitigation steps. If you’re more advanced in terms of remediation you can always refer yourself to the Microsoft Security Response Center for more information.