Two New Post-Auth 0-Day Vulnerabilities Affecting Microsoft Exchange Servers

Two post-auth 0-day vulnerabilities were discovered in the latest version of the MS Exchange servers.The vulnerabilities are tagged CVE-2022-41040 (SSRF) and CVE-2022-41082 (RCE).
Updated on
April 19, 2023
Published on
September 30, 2022
Subscribe to the latest industry news, threats and resources.
Category: Vulnerability Intelligence Vulnerability Class: Post-Auth SSRF, RCE CVE ID: CVE-2022-41040 CVE-2022-41082 CVSS:3.0 Score: 8.8 6.3

Executive Summary

  • Two post-auth 0-day vulnerabilities discovered in the latest version of the MS Exchange servers.
  • The vulnerabilities are tagged CVE-2022-41040 (SSRF) and CVE-2022-41082 (RCE).
  • CVE-2022-41040 enables an authenticated attacker to trigger CVE-2022-41082.
  • The vulnerability can allow threat actors to gain initial access to an organization’s systems/network and conduct further exploitation.
  • Follow the latest guidance from Microsoft until a security patch is released. Microsoft Guidance

Technical Analysis

  • Security company GTSC identified exploitation attempts in Microsoft IIS Server logs for a client.
  • Internet Information Services (IIS) is an adaptable and secure web server for hosting anything on the Internet.
  • The exploit requests were very similar to the requests previously used to exploit the ProxyShell vulnerability.
  • Investigation by the GTSC team confirmed the presence of two post-auth 0-day vulnerabilities in the latest version of Microsoft Exchange servers.
  • The vulnerabilities have been submitted to the Zero Day Initiative (ZDI) and assigned the following IDs:
    • ZDI-CAN-18333
    • ZDI-CAN-18802

About the Vulnerabilities

  • Microsoft assigned CVE-2022-41040 to the SSRF vulnerability and CVE-2022-41082 to the RCE vulnerability.
  • It is required for the attacker to have authenticated access to the vulnerable Exchange server to be able to exploit the vulnerabilities.
  • Exploitation of CVE-202-41040 is used to trigger the RCE vulnerability CVE-2022-41082.
  • As per Microsoft, CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker. It is however important to note that there are other methods to exploit the Exchange servers for RCE without Powershell.
  • Since the exploitation requires the attacker to be authenticated, techniques like credential stuffing attacks could be used to get authentication.
  • Bruteforcing email/domain usernames with commonly used passwords are observed as a common technique among attackers to gain access to Exchange servers.

Information from OSINT

  • As per Shodan, currently there are more than two hundred thousand active MS Exchange servers.
[caption id="attachment_20822" align="alignnone" width="1081"]Screenshot of the Shodan search results for active MS Exchange servers Screenshot of the Shodan search results for active MS Exchange servers[/caption]  

Possible Impact

  • By exploiting this vulnerability, threat actors can gain remote control of MS Exchange servers.
  • The above access can be exploited for the following:
    • Executing commands
    • Privilege escalation
    • Downloading malicious files
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, install botnets and maintain persistence.

Mitigation Measures

Note: These Mitigations have been sourced from the guidance released by Microsoft On-premises Microsoft Exchange customers should review and apply the following “URL Rewrite” instructions and block any exposed Remote PowerShell ports.
    • Open the IIS Manager
    • Expand the Default Web Site
    • Select Autodiscover
    • In the Feature View, click URL Rewrite
    • Click on the Add Rules option available in the Actions pane.
    • Select Request Blocking and click OK
    • Add string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK
    • Expand and select the rule with the pattern “.*autodiscover\.json.*\@.*Powershell.*”
    • Click Edit under Conditions
    • Change the condition input from {URL} to {REQUEST_URI}
  • Refer to the Appendix section for the screenshots describing the above steps.
  • There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
  • Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will also be able to trigger RCE using CVE-2022-41082. Blocking the following ports used for Remote PowerShell can limit these attacks.
    • HTTP: 5985
    • HTTPS: 5986

Indicators of Compromise

Note: These IOCs are from the attack detected by the GTSC team.
SHA256 Hashes
IP Address
125[.]212[.]220[.]48 104[.]244[.]79[.]6 86[.]48[.]12[.]64 94[.]140[.]8[.]48
5[.]180[.]61[.]17 112[.]118[.]48[.]186 212[.]119[.]34[.]11 94[.]140[.]8[.]113
47[.]242[.]39[.]92 122[.]155[.]174[.]188 103[.]9[.]76[.]211 103[.]9[.]76[.]208
61[.]244[.]94[.]85 125[.]212[.]241[.]134 185[.]220[.]101[.]182 194[.]150[.]167[.]88



[caption id="attachment_20823" align="alignnone" width="637"]Vulnerabilities listed on ZDI website Vulnerabilities listed on ZDI website[/caption]   [caption id="attachment_20824" align="alignnone" width="1024"]Screenshot of the Microsoft IIS Server logs containing the URL Rewrite option Screenshot of the Microsoft IIS Server logs containing the URL Rewrite option[/caption]   [caption id="attachment_20825" align="alignnone" width="1024"]Screenshot of the Add Rules option present in the Actions pane of the URL Rewrite Screenshot of the Add Rules option present in the Actions pane of the URL Rewrite[/caption]   [caption id="attachment_20826" align="alignnone" width="1024"]Screenshot of the Request Blocking option present in the Add Rules dialogue box Screenshot of the Request Blocking option present in the Add Rules dialogue box[/caption]   [caption id="attachment_20827" align="alignnone" width="1024"]Screenshot of adding the string in the Pattern (URL Path) data field Screenshot of adding the string in the Pattern (URL Path) data field[/caption]   [caption id="attachment_20828" align="alignnone" width="1024"]Screenshot of the Pattern selection Screenshot of the Pattern selection[/caption]   [caption id="attachment_20829" align="alignnone" width="1024"]Screenshot of the Condition input being changed to {REQUEST_URL} Screenshot of the Condition input being changed to {REQUEST_URL}[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations