Skip to content
The New Era of Internet Exposure: What It Means for Security Teams | Stream Now
Blog

CVE-2022-41040 / CVE-2022-41082: 0day in Microsoft Exchange

Share

September 30, 2022

Updates 2022-10-04

  • Censys has added a risk for Censys ASM customers for hosts running a vulnerable version of Exchange (Deployed 2022-10-03)

Updates 2022-10-03

  • Still no official fix from Microsoft, but they have released a mitigation guide.
  • The vulnerability has been reported to affect: Exchange Server 2013, 2016, and 2019

Reports of a newly discovered vulnerability in Microsoft Exchange services have been brought to light with no official fix as of September 30th, 2022.  Researchers at the security company GTSC first published a set of analyses and Indicators of Compromise (IOCs) to find signs of a new zero-day attack campaign that was targeting their customers.

 

The same night as GTSC’s release, Microsoft announced they had confirmed two new exploits currently being tracked as CVE-2022-41040 and CVE-2022-41082. The first CVE, CVE-2022-41040, is a Server-Side Request Forgery vulnerability that can be leveraged with CVE-2022-41082 to achieve a Remote Code Execution (RCE).

Microsoft also stated that they are aware of targeted attacks using these exploits in the wild. Meaning there is currently an active campaign to compromise vulnerable hosts.

Microsoft also noted that for either of these vulnerabilities to be exploited successfully, the attacker must have some form of valid credentials.

Update 2022-10-03

While there has not been an official patch for this vulnerability as of 2022-10-03, Microsoft has released a mitigation guide which the reader can find here.

We have created an interactive dashboard for tracking these Microsoft Exchange services with Censys scan data. This vulnerability has been reported to work on the following:

  •  Exchange Server 2013
  •  Exchange Server 2016
  •  Exchange Server 2019.

 

 

This dashboard allows a user to filter and pivot into varying levels of detail, such as the Microsoft Exchange version.
The country where the host is located
And the origin Autonomous System Name.

 

At the moment, the best way to identify these Exchange servers using Censys is by using the following search query:

same_service(services.http.response.favicons.name: */owa/auth/*  and  services.http.response.html_title={“Outlook Web App”, “Outlook”})

Censys ASM customers will now have access to a new risk covering these two vulnerabilities.

Attack Surface Management Solutions
Learn more