Microsoft has confirmed that two unpatched Exchange server zero-day vulnerabilities are being exploited by cybercriminals in real-world attacks. The flaws were first discovered in August 2022 by Vietnamese cybersecurity firm GTSC as part of its response to a customer cybersecurity incident, which said the two zero-day vulnerabilities had been used in attacks on its customers’ environments dating back to early August 2022.
In a blog post late Thursday, the Microsoft Security Response Center (MRSC) said the two vulnerabilities, identified as CVE-2022-41040, are a server-side request forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows execution on a vulnerable server when PowerShell is accessed by an attacker remote code.
“At this time, Microsoft believes there are limited targeted attacks to exploit these two vulnerabilities to gain access to user systems,” Microsoft said, noting that an attacker would need authenticated access to a vulnerable Exchange server, such as stealing credentials, to successfully exploit either of the two vulnerabilities, which affects on-premises Microsoft Exchange Server 2013, 2016 and 2019.
Microsoft did not share any further details about these attacks, and security firm Trend Micro gave the two vulnerabilities a severity rating of 8.8 and 6.3 out of 10.
However, GTSC reported that cybercriminals linked the two vulnerabilities together to create backdoors on the victim’s system, and could also move laterally through the network being attacked. Having successfully mastered the vulnerability can gather information and establish a foothold in the victim’s system.
Security researcher Kevin Beaumont, who was one of the first to discuss the GTSC findings in a series of tweets on Thursday, said he was aware that the vulnerability was “actively being exploited externally” and that he “can confirm that a large number of Exchange servers have fallen”.
Microsoft declined to say when the patch would be available, but noted in its blog post that the upcoming fix is on an “accelerated timeline”.
Until then, the company advises customers to follow the interim mitigation measures shared by GTSC, which include adding a blocking rule to the IIS manager. The company noted that Exchange Online customers do not need to take any action at this time, as the zero-day event only affects internal Exchange servers.
