Security News > 2022 > September > Two Microsoft Exchange zero-days exploited by attackers (CVE-2022-41040, CVE-2022-41082)
Attackers are leveraging two zero-day vulnerabilities to breach Microsoft Exchange servers.
"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities."
"Microsoft Exchange Online has detections and mitigation in place to protect customers," Microsoft said, but urged admins of on-prem installations of Exchange Server to implement mitigations, which include adding a blocking rule and blocking some ports.
GTSC's researchers initially thought that the attackers were exploiting the ProxyShell vulnerability, but further analysis proved that the targeted MS Exchange servers were up-to-date with the patches, so the theory of ProxyShell being exploited was discarded.
GTSC's researchers discovered the attacks at the beginning of August, and say that the attackers ultimate goal was to "Create backdoors on the affected system and perform lateral movements to other servers in the system."
"A quick sweep of the internet suggests a lot of organisations haven't yet patched for ProxyShell, which is understandable given how Exchange patching works," Beaumont noted, and found that there are nearly 250,000 vulnerable Exchange servers exposed on the internet.
News URL
https://www.helpnetsecurity.com/2022/09/30/cve-2022-41040-cve-2022-41082/
Related news
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- Microsoft investigates global Exchange Admin Center outage (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in six months (source)
- Microsoft fixes Exchange Online bug flagging Gmail emails as spam (source)
- US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks (source)
- Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws (source)
- Patch Tuesday: Microsoft fixes 5 actively exploited zero-days (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-03 | CVE-2022-41082 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 8.0 |
| 2022-10-03 | CVE-2022-41040 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 0.0 |