Security News > 2022 > September > Two Microsoft Exchange zero-days exploited by attackers (CVE-2022-41040, CVE-2022-41082)
Attackers are leveraging two zero-day vulnerabilities to breach Microsoft Exchange servers.
"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities."
"Microsoft Exchange Online has detections and mitigation in place to protect customers," Microsoft said, but urged admins of on-prem installations of Exchange Server to implement mitigations, which include adding a blocking rule and blocking some ports.
GTSC's researchers initially thought that the attackers were exploiting the ProxyShell vulnerability, but further analysis proved that the targeted MS Exchange servers were up-to-date with the patches, so the theory of ProxyShell being exploited was discarded.
GTSC's researchers discovered the attacks at the beginning of August, and say that the attackers ultimate goal was to "Create backdoors on the affected system and perform lateral movements to other servers in the system."
"A quick sweep of the internet suggests a lot of organisations haven't yet patched for ProxyShell, which is understandable given how Exchange patching works," Beaumont noted, and found that there are nearly 250,000 vulnerable Exchange servers exposed on the internet.
News URL
https://www.helpnetsecurity.com/2022/09/30/cve-2022-41040-cve-2022-41082/
Related news
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-03 | CVE-2022-41082 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |
| 2022-10-03 | CVE-2022-41040 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 0.0 |