Zero-day Vulnerabilities in Microsoft Exchange Server

By Jeyakumar Durai (JD)
Cloud Architect

Couple of new Zero-day Vulnerabilities are identified in Microsoft Exchange Servers which are acknowledged and being addressed by Microsoft under the CVEs [CVE-2022-41040 –Side Request Forgery SSRF] , [CVE-2022-41082 –Remote Code Execution RCE ].

What is the impact due to these Vulnerabilities?

Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger the Remote Code Execution and can make lateral movements to other servers in the system.

What is the Mitigation plan from Microsoft?

Please review the detailed step by step mitigation plan released by “Microsoft Security response Center”

  1. Apply the URL Rewrite Instructions on each Exchange server.
    1. If you are running Exchange 2013/2016/2019 and don’t see the URL Re-Write in the “IISManager”, please install the IIS URL Rewrite module first and then implement the mitigation described. (This may require restart of the Exchange server and existing client connections will be dropped)
  2. Block the exposed Remote PowerShell ports [HTTP : 5985 and HTTPS 5986] inbound to Exchange Servers.

All Exchange customers are advised to implement the mitigation plan as soon as possible since these are active and wildly exploit vulnerabilities now.

Is there a patch released by Microsoft for these vulnerabilities?

Microsoft is actively working on releasing a patch but at this moment customers are advised to implement the mitigation plan as soon as possible.

Is Exchange Online (Microsoft 365) affected by these vulnerabilities?

Microsoft has assured that necessary detections and mitigations are in place to protect the Microsoft 365 (Exchange Online) customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions.

Helient strongly recommends taking the necessary steps to mitigate these active wildly exploit vulnerabilities to keep your Exchange server environment safe and secure. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.