Last Friday, September 30, two new Microsoft Exchange Server vulnerabilities became known and are being actively exploited in a series of targeted attacks. The first, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that essentially opens the door for attackers to gain access to the Exchange Server. The second vulnerability, CVE_2022-41082, allows remote code execution (RCE) via PowerShell once on the server.
This chain of attacks is similar to last year’s ProxyShell attacks, and as with last year’s attacks, the security industry is prepared for exploitation of these vulnerabilities now that they are public knowledge.
Chester Wisniewski, Principal Research Scientist at Sophos says:
“After Microsoft confirmed two new zero-day vulnerabilities in Microsoft Exchange on Friday, security researchers have been investigating the potential impact and what to do to protect against exploitation. As of this writing, only an extremely small number of victims are known to be affected by this vulnerability. This buys us all some time to implement fixes and prepare for patches as soon as Microsoft makes them available. For Exchange customers who are current with the September 2022 patches and updates, Microsoft has implemented a URL rewrite rule as a mitigation against the known attack to prevent it from working. Unfortunately, bypassing this nerf has proven to be trivial, so we’re all still awaiting an official patch. IT teams should prepare to apply the patch as soon as possible after release.”