New Microsoft Exchange Vulnerabilities Exploited By Attackers

The Redmond, Wash.-based tech giant is confirming two zero-day vulnerabilities found in popular Exchange.

Microsoft has confirmed the existence of two zero-day vulnerabilities in Microsoft Exchange – and they’re already being used to launch cyberattacks against organizations.

In a blog post, the giant software and cloud computing company acknowledged what Vietnamese cybersecurity company GTSC had previously announced: that there are indeed two major Exchange vulnerabilities and that they’re being exploited in the wild.

“Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019,” the Redmond, Wash.-based company said in its post.

[RELATED STORY: Microsoft Confirms ‘Follina’ Office Zero-Day Vulnerability]

“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. “

The company then ominously added: “At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.”

The blog post went on to say that Microsoft was “monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers.”

Microsoft said it’s now “working on an accelerated timeline to release a fix” but, until then, it provided “mitigations and detections guidance” in its blog post in order to “help customers protect themselves from these attacks.”

The post then lays out detailed mitigation guidance that user can follow.

A representative from Microsoft couldn’t be reached by CRN for additional comment.

On Twitter, cybersecurity researcher Kevin Beaumont suggested there’s more cyberactivity related to the Exchange vulnerabilities than Microsoft might be acknowledging.

“I can confirm significant numbers of Exchange servers have been backdoored - including a honeypot,” he said.

Earlier this week, Bleeping Computer reported that GTSC “suspects that a Chinese threat group is responsible for the attacks based on the web shells‘ code page, a Microsoft character encoding for simplified Chinese.”

In an interview with CRN, Martin Zugec, technical solutions director at Bitdefender, a cybersecurity vendor based in Bucharest, Romania and with offices in the U.S., said he’s “not surprised” that bad actors are taking advantages of vulnerabilities in the popular Microsoft Exchange.

“They are looking for the targets that are massively deployed,” he said.

He added of cybercriminals in general: “They are going to identify the software components that are deployed massively in all of networks. They are then deploying these automated scanners to find the vulnerable systems.”