Microsoft investigating 2 zero-day vulnerabilities in Exchange Server

One vulnerability is a server-side request forgery, while the second allows remote-code execution when an attacker has access to PowerShell.

Dive Brief:

  • Microsoft is investigating reports of two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and 2019, according to a blog post issued Friday. The vulnerabilities do not affect Microsoft Exchange Online Customers.
  • The first vulnerability, CVE-2022-41040, is a server-side request forgery vulnerability, Microsoft said. The second, CVE-2022-41082, allows remote-code execution when a threat actor has access to PowerShell. 
  • Microsoft confirmed it was aware of limited targeted incidents with attackers using the two vulnerabilities to compromise systems. During the incidents, an attacker can use CVE-2022-41040 to allow an authenticated attacker to remotely trigger CVE-2022-41082.

Further reading: