Security News > 2023 > January > CISA orders agencies to patch Exchange bug abused by ransomware gang
The first is a Microsoft Exchange elevation of privileges bug tracked as CVE-2022-41080 that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution.
Texas-based cloud computing provider Rackspace confirmed one week ago that the Play ransomware gang exploited it as a zero-day to bypass Microsoft's ProxyNotShell URL rewrite mitigations and escalate permissions on compromised Exchange servers.
The second vulnerability CISA added to its Known Exploited Vulnerabilities catalog is a privilege escalation zero-day in the Windows Advanced Local Procedure Call, tagged as being exploited in attacks and patched by Microsoft during this month's Patch Tuesday.
A BOD 22-01 binding operational directive issued by CISA in November 2021 requires all Federal Civilian Executive Branch Agencies agencies to secure their networks against bugs added to the KEV catalog.
Today, CISA gave FCEB agencies three weeks, until January 31st, to address the two security flaws and block potential attacks targeting their systems.
Since the BOD 22-01 directive was issued, CISA added more than 800 security flaws to its list of bugs exploited in the wild, requiring federal agencies to address them on a tighter schedule to prevent potential security breaches.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-09 | CVE-2022-41080 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 8.8 |
| 2022-10-03 | CVE-2022-41082 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 8.0 |