Microsoft is investigating the potential exploitation of not one, but two distinct vulnerabilities impacting the Exchange Server 2013, 2016, and 2019 family of products.
These alleged 0-days, currently identified as CVE-2022-41040 and CVE-2022-41082, can be used sequentially to give an authenticated attacker access to the vulnerable server. In specific, CVE-2022-41040 is a Server-Side Request Forgery (SSRF) attempt, while CVE-2022-41082 is a PowerShell privilege escalation attack that allows for remote code execution (RCE). Although valid credentials are required to perform either exploit, both are still considered highly-functional, yet moderate risk vulnerabilities given this very requirement.
At this time, Microsoft is aware of a limited number of attempts at exploiting these vulnerabilities, but has significantly accelerated its timeline to remediation. Meanwhile, it’s been indicated that a blocking rule in “IIS Manager” using the “URL Rewrite” module should successfully contain the attack—this applies to on-prem Exchange, since Exchange Online customers aren’t impacted according to Microsoft.
On the technical side, early indicators point to attack vectors similar to those used by ProxyShell, whereby a vulnerable Exchange backend component allowed for RCE conditions. If successful, the probability of attackers dropping web shells, and similar tools, is equally high; post-exploitation activities also include leveraging tools like certutil, and the injection of malicious DLLs to drop additional files.
How to detect your exposed Microsoft exchange servers?
Attack Surface Intelligence clients can discover all the existing Exchange versions, including the ones potentially affected by these two new CVEs, as you can see from the following screenshot:
If you are a client with access to the Attack Surface Intelligence Module, you can simply go to your project and navigate to Inventory -> Admin Pages. For a better visibility, please tick “Microsoft Exchange Control Panel” to filter out anything else.
Most importantly, scanning for any vulnerable Exchange servers using our Attack Surface Intelligence Risk Rules feature will ensure you have complete visibility in case you need to take action.
Whether these two CVEs can be considered 0-days or not, more information is needed from Microsoft to determine the full mitigation and remediation paths. For now, make sure all Exchange servers are up-to-date, and apply the above customer guidance as proposed.