Security News > 2022 > October > Microsoft Exchange server zero-day mitigation can be bypassed
Microsoft has shared mitigations for two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premise servers is far from enough.
Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution.
"As part of an advisory, Microsoft shared mitigations for on-premise servers and a strong recommendation for Exchange Server customers to"disable remote PowerShell access for non-admin users" in the organization.
Administrators can achieve the same result by running Microsoft's updated Exchange On-premises Mitigation Tool - a script that requires PowerShell 3 or later, needs to run with admin privileges, and runs on IIS 7.5 or newer.
Jang's finding has been tested by researchers at GTSC, who confirmed in a video today that Microsoft's mitigation does not provide sufficient protection.
CVE-2022-41082 has the same high-severity score but it can be used for remote code execution on vulnerable on-premise Microsoft Exchange Servers by an attacker with "Privileges that provide basic user capabilities".
News URL
Related news
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-03 | CVE-2022-41082 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |
| 2022-10-03 | CVE-2022-41040 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 0.0 |