CVE-2022-41040 and CVE-2022-41082 in Brief
On September 29, 2022, a cybersecurity company published a report [1] about having discovered previously unknown vulnerabilities in Microsoft Exchange. The vulnerabilities are very similar to another vulnerability discovered last year named ProxyShell.
The new vulnerabilities have been acknowledged by Microsoft and have been assigned the following CVE numbers: CVE-2022-41040 and CVE-2022-41082. Important to know is that these vulnerabilities affect those who run Exchange on-premises.
Customer Response
Microsoft has published [2] guidance about mitigations that can be implemented for those who use Microsoft Exchange on-prem. As a user of Microsoft Exchange, you thus have to determine whether or not to implement these temporary mitigations or disconnect OWA from the internet until a patch is readily available to be applied.
Truesec Response
We have been monitoring the development since the publication and have rules in place detecting any attempts at exploiting the vulnerability. We’re also proactively threat-hunting (where possible, necessary and relevant) for all known indicators, but also likely and expected behaviors as a consequence of exploitation.
We’re also continuing to monitor for any exploitation attempts and threat actors attempting to find potentially vulnerable servers.
Concluding Remarks on Exchange Vulnerability
This is a currently unfolding series of events that we are closely monitoring. If judged necessary and relevant, we will update this notice with more information as it becomes available.