Microsoft Exchange server zero-day mitigation can be bypassed

Home/Internet Security, Microsoft, Security Advisory, Security Update/Microsoft Exchange server zero-day mitigation can be bypassed

Microsoft Exchange server zero-day mitigation can be bypassed

Last week, Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are being actively exploited in the wild.

The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.  

Successful exploitation of the CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082. 

RCE chain

In GTSC’s original security advisory, researchers said they discovered an attack on “critical” infrastructure made through Exchange Server in August.

The first vulnerability, CVE-2022-41040 (CVSS 8.8), is a server-side request forgery (SSRF) issue. When triggered remotely to launch CVE-2022-41082 (CVSS 6.3), the bug could result in remote code execution (RCE).


Microsoft confirmed the two issues on Friday and said it was aware of “limited targeted attacks” exploiting them.

As part of a recommendation, Microsoft shared mitigations for on-premises servers and a strong recommendation for Exchange Server customers to “disable remote PowerShell access for non-admin users” in the organization.”

To reduce the risk of exploitation, Microsoft suggested blocking known attack patterns with a rule in IIS Manager:

  1. Open IIS Manager.
  2. Choose default site.
  3. In the **Functions View**, click URL rewrite.
  4. In which Actions pane on the right, click Add Rules….
  5. Select **Request Block** and click on it OK.
  6. Add the string “.autodiscover.json.*@.*Powershell.‘ (without the quotation marks) and then click OK.
  7. Expand the rule and select the rule with the pattern “autodiscover.json.*@.*Powershell.‘ and click Edit under conditions.
  8. change that condition input from {URL} to {REQUEST_URI}

Microsoft also recommends customers block the following Remote PowerShell ports:

  1. HTTP: 5985
  2. HTTPS: 5986

Microsoft also recommends Exchange Server customers disable remote PowerShell access for non-admin users in the organization.

Researchers at GTSC published a video PoC to demonstrate how to bypass the mitigation for the two vulnerabilities.

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2022-10-04T15:55:49+05:30 October 4th, 2022|Internet Security, Microsoft, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!