Microsoft Publishes Guidance On New Zero-Day Threats To Exchange Servers That Are Being Exploited

If you are responsible for an Microsoft Exchange server and it is not Microsoft’s Exchange Online offering, then you should read this story and take action immediately. Microsoft is reporting via a blog post that there’s a zero-day Exchange vulnerability in the wild:

Microsoft is aware of limited targeted attacks using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the Microsoft Security Response Center blog for the mitigation guidance regarding these vulnerabilities.  

CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect post-exploitation malware and activity associated with these attacks. Microsoft also released a script, available at, to apply the mitigations for the SSRF vector CVE-2022-41040 to on-premises Exchange servers.

Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.

What makes these exploits so dangerous is this:

While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.

So, if any user who gets e-mail from an Exchange server has their credentials leak out to threat actors, then the threat actors can use these exploits to pwn the Exchange server. Lovely.

The fact that the attacks at present are targeted implies that a nation state is behind this. There are no signs yet that the exploits have been publicly published. But that’s likely to to change soon. Which is why Exchange admins need to take action now by following this guidance from Microsoft. To reiterate, if you’re responsible for administering an Exchange server that is part of Microsoft’s Exchange Online offering, then you need not worry. If however your Exchange server is on premise, then you have some work to do. And that work is a today problem.

Leave a Reply

%d bloggers like this: