Zero Day Vulnerabilities Found in Microsoft Exchange Server

Zero day vulnerability found in mircosoft exchange server

In the last 24 hours there have been reports online of 2 zero day vulnerabilities that have been detected in Microsoft Exchange Server.  These vulnerabilities only apply to On Premise Exchange versions 2013, 2016, and 2019.  They do not apply to Microsoft Exchange Online which is part of the Office 365 Suite.

What We Know

Microsoft Reported on the vulnerabilities:

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.  

We are working on an accelerated timeline to release a fix. Until then, we’re providing the mitigations and detections guidance below to help customers protect themselves from these attacks. 

Microsoft Exchange Online has detections and mitigations in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. “

What to do

Microsoft is working on a patch for the vulnerability right now, but while that is in progress, they have a suggested mitigation path that might offer some protection in the meantime.  The link above includes their specific instructions on what you can do to protect your Exchange installation.

Its important to remember that this DOES NOT affect businesses that are using Office 365, and ONLY those that are still using on premise exchange server.  Most small and medium businesses have already made the move to Office 365 and should not be concerned.  i.t.NOW has a very small subset of clients with inhouse exchange, and our security team is looking into putting the correct mitigations in place.

It’s also important to remember that Microsoft states that an attacker must have “authenticated access” to the exchange server to be able to use the exploit.  That means they would have already infiltrated the network and gained admin access.  i.t.NOW works to secure all client networks with perimeter security that would make gaining such access difficult.

One More Reason

If you needed one more reason to ditch your on-premises exchange server in favor of Office 365 beyond all those I recently wrote about here, perhaps this is it.  We’ve recommended for some time that all our clients make this move, and the vast majority have already done so.  Microsoft will soon release a patch that will fix this vulnerability, and for those that have not yet made the move we will get it applied right away to ensure their continued safe operation.

i.t.NOW and our security team are here to help.  Don’t hesitate to reach out if you have questions.