More Microsoft Exchange zero-days exploited in the wild

A representative image of someone hacking online.
(Image credit: 123RF)

Two more zero-day vulnerabilities found in different versions of Microsoft Exchange Server are being exploited in the wild, the company has confirmed.

According to recent customer guidance that Microsoft released for reported zero days, a server-side request forgery (SSRF) flaw, and remote code execution (RCE) flaw, were identified as being used by threat actors.

The vulnerabilities were present in Microsoft Exchange Server 2013, 2016, and 2019 endpoints.

Chained flaws

"The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker," Microsoft explained. "At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

Exploiting the SSRF flaw isn’t as easy, though, as the attack can only be pulled off by attackers that were authenticated by the target system. Only then can they exploit the RCE flaw, too. 

What’s more, Exchange Online users are not exposed to any risks, the company confirmed, as its security team already placed detections and mitigations. 

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers,” the company added. “We are working on an accelerated timeline to release a fix.”

While Microsoft did not say who might be exploiting these flaws right now, BleepingComputer found GTSC, a Vietnamese cybersecurity firm, laying the blame on a Chinese threat actor. Apparently, the zero-days were being used to deploy China Chopper web shells for persistence, as well as data exfiltration. The same company also published mitigation measures that Microsoft subsequently confirmed. 

"On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports," Microsoft said. "The current mitigation is to add a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns."

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
vpn
Ivanti warns another critical security flaw is being attacked
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser