Security News > 2022 > October > Microsoft Exchange server zero-day mitigation can be bypassed
Microsoft has shared mitigations for two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premise servers is far from enough.
Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution.
"As part of an advisory, Microsoft shared mitigations for on-premise servers and a strong recommendation for Exchange Server customers to"disable remote PowerShell access for non-admin users" in the organization.
Administrators can achieve the same result by running Microsoft's updated Exchange On-premises Mitigation Tool - a script that requires PowerShell 3 or later, needs to run with admin privileges, and runs on IIS 7.5 or newer.
Jang's finding has been tested by researchers at GTSC, who confirmed in a video today that Microsoft's mitigation does not provide sufficient protection.
CVE-2022-41082 has the same high-severity score but it can be used for remote code execution on vulnerable on-premise Microsoft Exchange Servers by an attacker with "Privileges that provide basic user capabilities".
News URL
Related news
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft launches Zero Day Quest hacking event with $4 million in rewards (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-10-03 | CVE-2022-41082 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |
2022-10-03 | CVE-2022-41040 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 0.0 |