Security News > 2022 > September > New Microsoft Exchange zero-days reportedly exploited in attacks

Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks.
Microsoft hasn't disclosed any information regarding the two security flaws so far and is yet to assign a CVE ID to track them.
The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.
"GTSC submitted the vulnerability to the Zero Day Initiative right away to work with Microsoft so that a patch could be prepared as soon as possible," they added.
There's reports emerging that a new zero day exists in Microsoft Exchange, and is being actively exploited in the wild.
"We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the above temporary remedy as soon as possible to avoid potential serious damages," GTSC added.
News URL
Related news
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Apple fixes zero-day exploited in 'extremely sophisticated' attacks (source)
- Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)