Microsoft Exchange server zero-day mitigation is circumvented (13th October 2022)

Ref# AL2022_66 | Date: Oct 13th 2022


Microsoft officially disclosed that it is investigating two zero-day security vulnerabilities affecting Exchange Server 2013, 2016 and 2019. The company has released mitigations for the two new Microsoft Exchange zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082. 


The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, CVE-2022-41082, allows remote code execution (RCE) when the attacker has access to PowerShell. In a new analysis, the Microsoft Threat Intelligence Center (MSTIC) stated that these attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft stated that while these vulnerabilities necessitate authentication, the authentication required for exploitation can be that of a standard user. Standard user credentials can be obtained through a variety of attacks, such as password spraying or purchase through the cybercriminal economy. Microsoft also stated that it is working on an “accelerated timeline” to fix the flaws. 


Microsoft provided mitigations for on-premises servers as well as a strong recommendation for Exchange Server customers to “disable remote PowerShell access for non-admin users” within the organization. Microsoft also proposed blocking known attack patterns via an IIS Manager rule to reduce the risk of exploitation. Administrators can also update the Exchange On-premises Mitigation Tool, which is a script that requires PowerShell 3 or later, admin privileges and IIS 7.5 or newer. However, the rule proposed by Microsoft covers only known attacks, so the URL pattern is limited to them. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.  

PDF Download: Microsoft Exchange server zero-day mitigation is circumvented.pdf