Vulnerabilities > CVE-2022-41040 - Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Microsoft Exchange Server Elevation of Privilege Vulnerability
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Common Weakness Enumeration (CWE)
Related news
- MS Exchange zero-days: The calm before the storm? (source)
- ProxyNotShell – the New Proxy Hell? (source)
- Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds (source)
- Microsoft updates mitigation for ProxyNotShell Exchange zero days (source)
- Microsoft Exchange servers hacked to deploy LockBit ransomware (source)
- Microsoft adds new RSS feed for security update notifications (source)
- Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (source)
- Ransomware gang uses new Microsoft Exchange exploit to breach servers (source)
- Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations (source)
- New Microsoft Exchange exploit chain lets ransomware attackers in (CVE-2022-41080) (source)
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040
- https://www.kb.cert.org/vuls/id/915563
- http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html
- https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/