Skip to main content

Zero-day Vulnerabilities in Microsoft Exchange Server

The two vulnerabilities concern server-side forgery leading to RCE, and together they are being actively exploited

Threat ID:
CC-4178
Threat Severity:
High
Published:
3 October 2022 3:03 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The two vulnerabilities concern server-side forgery leading to RCE, and together they are being actively exploited

Affected platforms

The following platforms are known to be affected:

Versions: 2013, 2016, 2019

Microsoft Exchange Server

Threat details

Introduction

Researchers have disclosed two actively exploited zero-day vulnerabilities in Microsoft Exchange Server. The vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, are related to server-side request forgery (SSRF) and remote code execution (RCE). The potential of RCE is possible only when PowerShell is accessible to the attacker.

A remote, authenticated attacker could abuse CVE-2022-41040 in order to exploit CVE-2022-41082, which could lead to remote code execution (RCE).

Further High Severity Cyber Alert expected

When Microsoft issues a security update to remediate these zero-day vulnerabilities, NHS Digital will follow up with another High Severity Cyber Alert to alert affected organisations.

Threat updates

Date Update
10 Oct 2022 Microsoft guidance changes effective 7-8 Oct 2022

October 8, 2022 updates:
A correction was made to the string in step 6 and step 9 in the URL Rewrite rule mitigation Option 3. Steps 8, 9, and 10 have updated images.

October 7, 2022 updates:
Further improvement has been made to the URL Rewrite rule mitigation. Customers should review and use one of these options: 

  • Option 1: The mitigation for EEMS has been updated and the updates will be applied automatically. 
  • Option 2: The mitigation for EOMTv2 has been updated. 
  • Option 3: The string in step 6 and step 9 has been revised. Steps 8, 9, and 10 have updated images.
6 Oct 2022 Microsoft guidance changes effective 5-6 Oct 2022

October 6, 2022 updates:

  • An updated version released for EOMTv2 to remove an extra space in the script that didn’t impact functionality.

October 5, 2022 updates:

  • Further improvement has been made to the URL Rewrite rule mitigation. Customers should review and use one of these options:
    • Option 1: The mitigation for EEMS rule has been updated and the updates will be applied automatically.
    • Option 2: The mitigation for EOMTv2 has been updated.
    • Option 3: The instructions and image in step 10 are updated for a Condition input change.
  • Added under Mitigations section that Exchange Server customers should complete both recommended mitigations.
5 Oct 2022 Microsoft guidance changes effective 4 Oct 2022

Important updates have been made to the Mitigations section improving the URL Rewrite rule in the Microsoft security advisory for Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server. Affected organisations should review the Mitigations section and apply one of these updated mitigation options:

  • Option 1: The EEMS rule is updated and is automatically applied.
  • Option 2: The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.
  • Option 3: The URL Rewrite rule instructions have been updated. The string in step 6 and step 9 has been revised. Steps 8, 9, and 10 have updated images.
3 Oct 2022 Changes due to updated Microsoft guidance

This Cyber Alert has been changed to cover updated Microsoft guidance. Also, the statement previously made that "Microsoft Exchange Online Customers do not need to take any action" may not apply if Exchange Hybrid servers are being used, as they could be vulnerable. Mitigations should be applied to Hybrid servers.

Remediation advice

Affected organisations are required to read Microsoft Security Response Center Blog and apply all mitigations until a fix is released.

NOTE: Microsoft are now providing multiple mitigations. Organisations are required to apply all mitigations.

Last edited: 10 October 2022 11:48 am