Dive Brief:
- Microsoft is investigating reports of two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and 2019, according to a blog post issued Friday. The vulnerabilities do not affect Microsoft Exchange Online Customers.
- The first vulnerability, CVE-2022-41040, is a server-side request forgery vulnerability, Microsoft said. The second, CVE-2022-41082, allows remote-code execution when a threat actor has access to PowerShell.
- Microsoft confirmed it was aware of limited targeted incidents with attackers using the two vulnerabilities to compromise systems. During the incidents, an attacker can use CVE-2022-41040 to allow an authenticated attacker to remotely trigger CVE-2022-41082.
Dive Insight:
Security researcher Kevin Beaumont on Thursday retweeted a report from GTSC Cyber Security, which originally said it first detected exploitation of a new zero day in August.
The GTSC report noted that researchers detected webshells dropped to Exchange servers and said the attacker was using Antsword, a Chinese-based open source website administration tool.
Beaumont said significant numbers of Exchange servers had been backdoored — including a honeypot.
Researchers noted similarities to ProxyShell, which emerged in 2021, however after additional investigation they said this was a new vulnerability.
Researchers from Huntress said they are actively looking for red flags and potential signs of exploitation.
Microsoft stressed that authenticated access is necessary to exploit either of the two vulnerabilities.