Emerging Threats: Microsoft Exchange On-Prem Zero-Days


This week, Microsoft confirmed two new Exchange zero-day vulnerabilities used in attacks. Right now, there isn’t a patch available for the two unique CVEs affecting Microsoft Exchange On-Premises (note that Microsoft Exchange Online customers aren’t impacted):

  • CVE-2022-41040: Server-side Request Forgery (SSRF) vulnerability. This is when an attacker tricks the server into performing actions on their behalf.
  • CVE-2022-41082: Allows remote code execution (RCE) when PowerShell is accessible to the attacker. This can be used to gain access to the server running Microsoft Exchange.

What happened?

GTSC, a Vietnamese Cybersecurity coalition, reported on September 29, 2022 that it had identified the exploitation of two previously undisclosed vulnerabilities on a fully patched Exchange Server. First observed in early August of this year, the vulnerabilities were originally reported to Microsoft and the Zero Day Initiative (ZDI) that same month.

However, a patch hasn’t yet been released. Microsoft did acknowledge the vulnerabilities today, September 30, 2022, and assigned them CVE designations. According to Microsoft, the observed vulnerabilities have been used together in attacks against Exchange Servers, with the successful exploitation of the SSRF vulnerability allowing for the possibility of the RCE vulnerability. Both vulnerabilities require authenticated access to the target Exchange Server.

What should you do?

While waiting for Microsoft to issue a patch, security teams can take a few actions to mitigate risk for their organizations. We recommend:

  • First, for any on-prem customers, teams should immediately take the steps outlined by Microsoft to block exposed Remote PowerShell ports.
  • Next, review your Exchange configuration to determine if Outlook Web App (OWA) is exposed to the internet. If the answer is “yes,” then determine if it’s necessary for any current business needs and evaluate the risk accordingly. (Pro tip: services like Shodan and Censys can help determine what services are publicly accessible.)
  • If you’ve had a Hybrid deployment as part of migration efforts, consider performing an additional asset inventory check to ensure on-prem Exchange servers were taken offline post-migration as appropriate.
  • Finally, continue to monitor for additional updates from Microsoft for any new mitigation measures as the situation develops.

At Expel, we’re also reviewing all alerts for the past 30 days for known indicators of compromise (IOCs), reviewing alert activity for organizations running on-prem Microsoft Exchange Server, and validating detections for potential web shell delivery and activity.

What does it mean for next time?

When responding to zero-days, keep in mind that it’s not necessarily about the patch—because there isn’t one. You can try and detect them, but your time is likely better spent building and detecting workflows to alert when something isn’t right.

Your best bet for detecting an issue before it’s known publicly? Build, deploy, and continuously improve alerting for behavioral patterns that suggest something’s amiss. (More on this in our annual cybersecurity trends report, Great eXpeltations 2022.) In this specific Microsoft scenario, it’s important to have endpoint visibility into on-prem Microsoft Exchange Servers, and the ability to detect suspicious Exchange and IIS Worker processes.

We’re continuing to monitor this evolving situation, and will keep our customers updated as new information emerges.