Please help us improve our website by providing your feedback

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. They are working on an accelerated timeline to release a fix. Until then, they’re providing mitigations and the detections guidance below to help customers protect themselves from these attacks. 

Microsoft Exchange Online customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions in this Microsoft Security Response Center post.

For more information and updates:

Microsoft Security Response Center

Bleeping Computer

Source: Microsoft Security Blog

Security Alert: Zero-Day Vulnerabilities in Microsoft Exchange Server

October 3rd, 2022
Microsoft has released Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.

Please help us improve our website by providing your feedback