Microsoft Exchange Critical Vulnerability Alert – CVE-2022-41040/CVE-2022-41082

Uncategorized 1 Minute

CVE-2022-41040

CVE-2022-41082

Discovered: 9/30/2022

Impacted Tech: Microsoft Exchange Server 2013, 2016, 2019

Attacker Location: Internal

Highlights:

After limited exploitation was identified, Microsoft has made a statement and confirmed that there were two zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019.

According to Microsoft, authenticated access to the vulnerable Exchange server is required for an attacker to successfully exploit either vulnerability.

CVE-2022-41040 is a Server-Side Request Forgery, which involves attackers abusing the way that web applications, to import or read data from URLs and modify or access potentially sensitive data. Exploitation of this vulnerability would allow authenticated attackers to remotely trigger the CVE-2022-41082 Remote Code Execution (RCE) vulnerability.

Mitigation:

The mitigation script released by Microsoft on 10/4/2022 was updated because of a bypass to the mitigation. If you ran this script before October 4th, 2022, please re-download and re-run the script for the updated vulnerability mitigation.

Customers with Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation is enabled automatically and is updated to include the URL Rewrite rule improvement.

For those without EEMS enabled, to mitigate the risk these vulnerabilities, Microsoft released the “Exchange On-premises Mitigation tool v2 (EOMTv2)” script which will mitigate CVE-2022-41040.

This script checks for the latest version of the script, downloads it, and mitigates the attacks via a URL Rewrite configuration.

A download to this script, along with additional instructions on how to manually mitigate the attacks will be provided on the following page.

Additionally, Microsoft recommended that customers disable remote PowerShell access for non-admin users in their organization.

References:

Microsoft confirms new Exchange zero-days are used in attacks (bleepingcomputer.com)

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center

EOMTv2 – Microsoft – CSS-Exchange – Mitigation Script

Unknown's avatar

Published by Bryan Mooney

Published

Leave a comment