Microsoft has reported two new vulnerabilities (CVE-2022-41040 & CVE-2022-41082) affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.
Microsoft has observed limited, targeted attacks exploiting these vulnerabilities to compromise target systems.
Mitigations for this vulnerability are available; however, a patch is not available at this time.
CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability while CVE-2022-41082 is a Remote Code Execution (RCE) vulnerability.
Vulnerabilities of this nature have been exploited in the past (such as with ProxyShell) to deliver web shells and perform further attacks including lateral movement within target networks and delivery of malicious payloads (such as ransomware).
What You Should Do
If you are using Microsoft Exchange Online, you do not need to take any action.
If you are using on-premises Microsoft Exchange Server 2013, 2016, or 2019:
- Microsoft recommends adding a URL Rewrite blocking rule in IIS Manager to block exposed PowerShell ports.
- The blocking rule should be added by navigating to:
- IIS Manager → Default Website → Autodiscover → URL Rewrite → Actions
- Review the guidance from Microsoft by clicking here.
- Where possible, reduce the attack surface by disabling Outlook Web Access (OWA) from being exposed to the public internet.
If you require further help, please contact our Technical Assistance Center at email@example.com or 1-800-541-0450.