Security News > 2022 > September > Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation.
"The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution when PowerShell is accessible to the attacker," the tech giant said.
The company also confirmed that it's aware of "Limited targeted attacks" weaponizing the flaws to obtain initial access to targeted systems, but emphasized that authenticated access to the vulnerable Exchange Server is required to achieve successful exploitation.
The attacks detailed by Microsoft show that the two flaws are stringed together in an exploit chain, with the SSRF bug enabling an authenticated adversary to remotely trigger arbitrary code execution.
The Redmond-based company also confirmed that it's working on an "Accelerated timeline" to push a fix, while urging on premises Microsoft Exchange customers to add a blocking rule in IIS Manager as a temporary workaround to mitigate potential threats.
It's worth noting that Microsoft Exchange Online Customers are not affected.
News URL
https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html
Related news
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-03 | CVE-2022-41082 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |
| 2022-10-03 | CVE-2022-41040 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 0.0 |