top of page
  • WatchTower365

Security Advisory - Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild

Updated: Dec 28, 2022

Microsoft has officially announced that it is investigating two zero-day security flaws in Exchange Server 2013, 2016, and 2019, following reports on in-the wild exploitation.

The first vulnerability is CVE-2022-4040 and the second is CVE-2022-4082. It allows remote code execution (RCE) when PowerShell can be accessed by the attacker," said.

The company confirmed that it is aware of a "limited targeted attack" to gain initial access to targeted systems. However, the company stressed that authenticated access to vulnerable Exchange Servers is necessary to ensure successful exploitation.

Microsoft reveals that both flaws can be linked in an exploit chain. The SSRF bug allows an authenticated adversary remote to trigger arbitrary code execution.

Redmond-based Microsoft also confirmed it is working on an "accelerated timeline” to push a fix. It also urged premises Microsoft Exchange customers, to add a blocking Rule in IIS Manager as a temporary workaround to mitigate possible threats. Microsoft Exchange Online customers are not affected by this change. These are the steps to add the blocking rules:

  1. Open the IIS Manager

  2. Expand the Default Web Site

  3. Select Autodiscover

  4. In the Feature View, click URL Rewrite

  5. In the Actions pane on the right-hand side, click Add Rules

  6. Select Request Blocking and click OK

  7. Add String ".*autodiscover\.json.*\@.*Powershell.*" (excluding quotes) and click OK

  8. Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions

  9. Change the condition input from {URL} to {REQUEST_URI}


42 views0 comments
bottom of page