Two new zero-day exploits in Microsoft Exchange Server

13.10.22

Two new zero-day exploits in Microsoft Exchange Server

Two vulnerabilities in Exchange that are classified as zero-day vulnerabilities have recently surfaced again. The gaps were uncovered by two researchers from the security company GTSC. All Exchange versions from Exchange Server 2013 are affected.

Microsoft also warns of the gap in its own blog post. Information on how to temporarily protect Exchange servers can also be found here. In the blog post "Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082" Microsoft goes into more detail on the topic and the BSI also warns of the attacks and provides instructions on how to block the corresponding URL can. 

These gaps are not of a theoretical nature, but are already being actively exploited. The researchers have already found some infected servers and a honeypot has also been successfully attacked. Of course, Exchange servers that are directly connected to the Internet and provide the autodiscover function are particularly at risk.

Security products do not yet recognize attacks, but there is a scanner Most security products do not yet recognize these attacks and a few days ago there was no CVE number for them. The following two numbers have now been assigned: CVE-2022-41040 and CVE-2022-41082. Attackers who exploit these vulnerabilities can remotely execute code on the servers. This is accessed with the web shell by using PowerShell autodiscover requests. This gives attackers permanent access to the Exchange server.