Home » Technology » Microsoft » Microsoft Exchange Zero Day Vulnerability Being Exploited For Attacks

Microsoft Exchange Zero Day Vulnerability Being Exploited For Attacks

A few days ago, two zero-day vulnerabilities were discovered in Microsoft Exchange Server 2013, 2016, and 2019. Microsoft has now confirmed that the vulnerabilities are currently being exploited by attackers in the wild. Remedial measures are available, but a proper fix is not yet.

The gaps are open, Microsoft warns of active attacks

The Microsoft Security Response Center has been there since yesterday’s entry, which provides an update on the investigation into two major vulnerabilities in Exchange. First of all, Microsoft once again lists the corresponding codes for the Common Vulnerabilities and Exposures (CVE) catalog and the known attack vectors:

  • The first vulnerability, labeled CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability
  • The second vulnerability, labeled CVE-2022-41082, allows remote code execution (RCE) if the attacker has access to PowerShell

This is followed by a clear warning from the security researchers: “Microsoft is currently aware of a number of targeted attacks in which the two security vulnerabilities are exploited in order to penetrate users’ systems.” However, the company also emphasizes that “authenticated access” to the vulnerable Exchange Server is required to successfully exploit either vulnerability.

Patch in progress, workaround is available

According to Microsoft, they are currently working on an “accelerated schedule” for the release of the necessary error corrections, but cannot yet give a date when the fix can be expected.

In order for customers to be able to protect themselves from possible attacks by then, reference is made to instructions for preliminary remedial measures. In order to apply the protective measures to vulnerable servers, the following steps are necessary:

  • Open IIS Manager
  • Extend default website
  • Select Autodiscover
  • Click on URL rewrite in the function view
  • In the Actions pane on the right, click Add Rules.
  • Select Request Blocking and click OK
  • Add string “.*autodiscover.json.*@.*Powershell.*” (without quotes) and click OK
  • Expand the rule, select the rule with the pattern “.*autodiscover.json.*@.*Powershell.*” and click Edit under Conditions
  • Change the condition input from {URL} to {REQUEST_URI}

Also, Microsoft’s administrators advise blocking the following remote PowerShell ports to prevent the attacks: