Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. They are working on an accelerated timeline to release a fix. Until then, they’re providing mitigations and the detections guidance below to help customers protect themselves from these attacks.
Microsoft Exchange Online customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions in this Microsoft Security Response Center post.
For more information and updates:
Microsoft Security Response Center
Source: Microsoft Security Blog