Microsoft has officially disclosed that it is investigating two zero-day security vulnerabilities affecting Exchange Server 2013, 1016, and 2019 after reports of exploits in the wild.
The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second vulnerability, CVE-2022-41082, allows when PowerShell to be available to an attacker, the tech giant said. Enables remote code execution (RCE).
The company also confirmed that it is aware of “limited targeted attacks” that weaponize flaws to gain basic access to targeted systems, but stressed that authentication access to the vulnerable Exchange server is required to achieve a successful exploit.
The attacks detailed by Microsoft show that the two flaws are combined in an exploit chain with the SSRF bug that enables an authenticated adversary to remotely trigger arbitrary code execution.
The Redmond-based company also emphasized that it is working on an “accelerated timeline” to fix the problem while urging Microsoft Exchange customers to set a blocking rule in IIS Manager as a temporary solution to mitigate threats.
