Security News > 2022 > October > Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds
Microsoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed.
The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed ProxyNotShell due to similarities to another set of flaws called ProxyShell, which the tech giant resolved last year.
In-the-wild attacks abusing the shortcomings have chained the two flaws to gain remote code execution on compromised servers with elevated privileges, leading to the deployment of web shells.
To reduce the risk of exploitation, the company also shared temporary workarounds that are designed to restrict known attack patterns through a rule in the IIS Manager.
Microsoft has since revised the URL Rewrite rule to take this into account -.
It's not immediately clear when Microsoft plans to push a patch for the two vulnerabilities, but it's possible that they could be shipped as part of Patch Tuesday updates next week on October 11, 2022.
News URL
https://thehackernews.com/2022/10/mitigation-for-exchange-zero-days.html
Related news
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-03 | CVE-2022-41082 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |
| 2022-10-03 | CVE-2022-41040 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 0.0 |