The company is tracking the flaws as CVE-2022-41040 and CVE-2022-41082, respectively. Microsoft describes the first as a Server-Side Request Forgery (SSRF) bug, while the second could allow threat actors to conduct a remote code execution (RCE) attack through PowerShell. However, an attack would require the malicious actor to have authenticated access to Microsoft Exchange Server. Furthermore, Microsoft says Exchange Server users do not need to do anything as the vulnerabilities are only for on-premises versions of Exchange Server 2013, 2016, and 2019. Evens so, Microsoft has yet to issue a patch for either zero-day. As such, the company is not currently offering many details about how an attack would look. This is simply to avoid giving threat actors information that could help them start an attack chain. Although, Microsoft is providing workarounds such as putting a blocking rule in URL Rewrite Instructions and blocking ports 5986 (HTTPS) and 5985 (HTTP) in Remote PowerShell.
Difficult Time
It has been a rough 18 months for Microsoft Exchange servers, including a dismal 2021 where attacks on the service became the biggest cyberthreat of the year. Then the LockFile ransomware became a problem. In April, Microsoft confirmed the Hive ransomware-as-a-service was targeting Exchange Server. Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.