Newly discovered zero-days in Microsoft Exchange Server are being used actively in cyberattacks.
The two zero-day vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, Microsoft Security Response Center (MSRC) has warned, after the exploits were disclosed by researchers at Vietnamese cybersecurity firm GTSC.
One (CVE-2022-41040) is a is a Server-Side Request Forgery (SSRF) vulnerability, an exploit that allows attackers to make server-side application requests from an unintended location – for example, allowing them to access internal services without being within the perimeter of the network.
The other (CVE-2022-41082) allows remote code execution when PowerShell is accessible to the attacker.
When combined, CVE-2022-414040 can allow attackers to trigger CVE-2022-41082 – although Microsoft notes that this is only possible if the attacker has also authenticated access to the vulnerable Exchange Server.
Nonetheless, Microsoft says it’s “aware of limited targeted attacks using the two vulnerabilities to get into users’ systems” and that the company is working on an “accelerated timeline” to release a fix.
To mitigate the vulnerabilities for now, on-premises Microsoft Exchange customers should review and apply URL Rewrite Instructions detailed in the alert and block exposed Remote PowerShell ports. Microsoft says Exchange Online customers don’t need to take any action.
“Microsoft Exchange Online has detections and mitigation in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers,” the company said – however other cybersecurity researchers have suggested Microsoft Exchange Online customers could be affected.
Currently, there’s no publicly disclosed information about who is being targeted by attacks exploiting the zero-day vulnerabilities or who could be behind the attacks.
Microsoft Exchange Servers make a very tempting target for malicious hackers. Not only can attacks that successfully compromise Exchange be used to access sensitive information, they can also open the door to additional attacks – and victims might never be aware they’ve been targeted.
“We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the temporary remedy as soon as possible to avoid potential serious damages,” said researchers at GTSC.
MORE ON CYBERSECURITY
READ MORE HERE