Mitigation of two new zero-day vulnerabilities in Microsoft Exchange

On September 29, Microsoft officially disclosed that it is investigating two zero-day vulnerabilities affecting Exchange Server 2013, 2016, and 2019. We prepared this post for users of these products to briefly explain the issue and how you can minimize risk.

What are these vulnerabilities? CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 allows remote code execution if the attacker has access to PowerShell.

Are they being used in the wild? Yes, Microsoft has officially confirmed that they are. The company is aware of “limited targeted attacks” that use these vulnerabilities to penetrate users’ systems. In these attacks, CVE-2022-41040 can allow an authenticated attacker to trigger CVE-2022-41082 remotely.

However, the risks are quite low. The company emphasized that authenticated access to the vulnerable Exchange Server is required to exploit either of the two vulnerabilities successfully.

How can risks be mitigated? Unfortunately, there are no patches yet. However, if you’re a Microsoft Exchange Online user, you’re out of danger. The service has built-in detections and mitigations to protect customers.

If you’re a Microsoft Exchange Server user, we advise completing both the “URL Rewrite rule” mitigation for CVE-2022-41040 and the “Disable remote PowerShell for non-admins” mitigation for CVE-2022-41082. This will help reduce risks. You can find detailed instructions in the Microsoft Security Response Center.

To be protected from zero-day vulnerabilities, use Gcore NG-WAF. We’ll keep you informed of and safe from any threats.