Researchers from the Vietnamese cybersecurity company GTSC are warning about two zero-day vulnerabilities they discovered in Microsoft Exchange servers, registered in the Zero-Day Initiative as ZDI-CAN-18333 and ZDI-CAN-18802. The flaws were discovered in fully patched servers and are already being actively exploited by attackers. Attackers are exploiting the remote code execution vulnerability to collect information, drop web shells on the compromised server, create backdoors, and perform lateral movements to other servers in the compromised network.
CVE-2022-41040 & CVE-2022-41082
The 2 vulnerabilities impacting Exchange Server 2013, 2016, and 2019 are being tracked as CVE-2022-41040 and CVE-2022-41082. They received a CVSS score of 8.8 and 6.3 respectively. CVE-2022-41040 is a Server-Side Request Forgery and CVE-2022-41082 allows for remote code execution when PowerShell is accessible to the attacker. While there have already been attacks exploiting the vulnerabilities, Microsoft emphasizes that authenticated access to the vulnerable Exchange Server is necessary to do so.
Once the attackers have secured access to the targeted server, they were collecting information, creating backdoors, making lateral movements within the compromised network, and dropping web shells. The vulnerabilities have been dubbed ProxyNotShell by security researcher Kevin Beaumont, because of the similarity to attacks exploiting the ProxyShell vulnerabilities back in August. You can find detailed information on GTSC's warning page and in Microsoft's response.
Protect Vulnerable Exchange Servers
Microsoft is working to release a fix as soon as possible. In the meantime, any instances of Microsoft Exchange Server 2013, 2016 and 2019 remain at-risk. Microsoft advises useres to apply URL Rewrite Instructions and block exposed Remote Powershell ports to protect vulnerable servers. You can find step-by-step instructions for the URL Rewrite in Microsoft's own blog post. Additionally, you are advised to block the ports listed below. Authenticated attackers with access to PowerShell Remoting may otherwise be able to trigger RCE using CVE-2022-41082. Microsoft will continue to release updates as more information becomes available.
- HTTP: 5985
- HTTPS: 5986
If you are using Microsoft Exchange online, you do not need to take any action. This system has it's own detections and mitigation in place to protect customers.
Discover Vulnerable Microsoft Exchange Servers
To find any Microsoft Exchange Servers in your network that may be vulnerable to CVE-2022-41040 and CVE-2022-41082, our team at Lansweeper has created a special report. This way you have an actionable list of devices that might require your intervention and that will need to be updated once Microsoft releases the patch.