This article is more than 1 year old

Stop us if you've heard this one before: Exchange Server zero-days actively exploited

Remember this next time Microsoft talks about how seriously it takes security

Updated Infosec experts have warned zero-day flaws in Microsoft’s Exchange server are being actively exploited.

A Vietnamese outfit called GTSC appears to have identified the holes, explaining in an advisory how a pair of security bugs can be exploited together to achieve remote code execution on Exchange installations.

The biz reported its findings to the Zero Day Initiative, which has assigned the ID ZDI-CAN-18333 to one flaw rated 8.8 on the ten-point Common Vulnerability Scoring System (CVSS) severity scale. The second flaw, ZDI-CAN-18802, is rated 6.3 out of 10.

Details of the vulnerabilities are scanty, with GTSC’s post detailing its observations of webshells with Chinese characteristics being dropped onto Exchange servers compromised via these two vulnerabilities. Each webshell “injects malicious DLLs into the memory, drops suspicious files on the attacked servers, and executes these files through the Windows Management Instrumentation Command line (WMIC)."

That effort effectively makes the hijacked machine remote controllable, and that seldom ends well.

At this stage a good ending to this story is hard to envision, because while GTSC has outlined mitigations in its post, Microsoft is yet to issue a fix. History tells me that even once Microsoft publishes a patch, many thousands of Exchange users will not implement it promptly.

And to be clear, it appears these flaws are already being exploited in the wild. Infosec watcher Kevin Beaumont tweeted news he’s aware of active attacks, too.

These security holes are just the latest in a long list of problems with Exchange, Microsoft’s flagship messaging product. The most infamous in recent times was the flaw exploited by China's Hafnium crew. Scarcely a month passes without Microsoft finding other Exchange flaws felt worthy of a Patch Tuesday update, but the software giant has also recently pledged to improve the server’s security by adopting zero-trust principles for connections to the product. ®

Updated to add

Microsoft has confirmed there are two zero-day flaws in Exchange Server: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, a remote-code execution hole.

According to the Windows giant, miscreants are exploiting both in a chain to hijack a vulnerable system and gain control of it via PowerShell. Exploitation requires the intruder to be authenticated, so some credentials or access is needed. According to Redmond:

At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

We are working on an accelerated timeline to release a fix.

While we wait for patches, see here for mitigations and advice. Exchange Online has, we're told, already applied these protections. We'll let you know when a fix is available.


More about


Send us news

Other stories you might like