Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild

Microsoft officially disclosed it investigating two zero-day
security vulnerabilities impacting Exchange Server 2013, 2016, and
2019 following reports of in-the-wild
exploitation^[1].

“The first vulnerability, identified as CVE-2022-41040^[2], is a Server-Side
Request Forgery (SSRF^[3]) vulnerability, while
the second, identified as CVE-2022-41082^[4], allows remote code
execution (RCE) when PowerShell is accessible to the attacker,” the
tech giant said^[5].

The company also confirmed that it’s aware of “limited targeted
attacks” weaponizing the flaws to obtain initial access to targeted
systems, but emphasized that authenticated access to the vulnerable
Exchange Server is required to achieve successful exploitation.

The attacks detailed by Microsoft show that the two flaws are
stringed together in an exploit chain, with the SSRF bug enabling
an authenticated adversary to remotely trigger arbitrary code
execution.

The Redmond-based company also confirmed that it’s working on an
“accelerated timeline” to push a fix, while urging on premises
Microsoft Exchange customers to add a blocking rule in IIS Manager
as a temporary workaround to mitigate potential threats.

It’s worth noting that Microsoft Exchange Online Customers are
not affected. The steps to add the blocking rule are as follows
–

1. Open the IIS Manager
2. Expand the Default Web Site
3. Select Autodiscover
4. In the Feature View, click URL Rewrite
5. In the Actions pane on the right-hand side, click Add
   Rules
6. Select Request Blocking and click OK
7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding
   quotes) and click OK
8. Expand the rule and select the rule with the Pattern
   “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under
   Conditions
9. Change the condition input from {URL} to {REQUEST_URI}