Microsoft Exchange Server has taken a beating over the last 12-18 months. A slew of bugs, breaches, and vulnerabilities have befallen the mail and calendaring service. As we have to wait until 2025 for the next version, the current Exchange Server is all we've got. Unfortunately, Microsoft is confirming today two new zero-day vulnerabilities on the platform.
The company is tracking the flaws as CVE-2022-41040 and CVE-2022-41082, respectively. Microsoft describes the first as a Server-Side Request Forgery (SSRF) bug, while the second could allow threat actors to conduct a remote code execution (RCE) attack through PowerShell. However, an attack would require the malicious actor to have authenticated access to Microsoft Exchange Server.
Furthermore, Microsoft says Exchange Server users do not need to do anything as the vulnerabilities are only for on-premises versions of Exchange Server 2013, 2016, and 2019.
Evens so, Microsoft has yet to issue a patch for either zero-day. As such, the company is not currently offering many details about how an attack would look. This is simply to avoid giving threat actors information that could help them start an attack chain.
Although, Microsoft is providing workarounds such as putting a blocking rule in URL Rewrite Instructions and blocking ports 5986 (HTTPS) and 5985 (HTTP) in Remote PowerShell.
It has been a rough 18 months for Microsoft Exchange servers, including a dismal 2021 where attacks on the service became the biggest cyberthreat of the year. Then the LockFile ransomware became a problem.
In April, Microsoft confirmed the Hive ransomware-as-a-service was targeting Exchange Server.