Microsoft has released a new security update for two Microsoft Exchange Server zero-day vulnerabilities under limited targeted attacks in the wild.
Microsoft is aware of exploits against the zero-days (researchers dubbed “ProxyNotShell”) affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
“In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft wrote in a blog post.
Regarding CVE-2022-41040, Microsoft provided a workaround script for the URL Rewrite mitigation steps, a blocking rule in IIS Manager to block the known attack patterns and mitigate the flaw. Other workaround options were also published by Microsoft.
For CVE-2022-41082, an attacker with authenticated access to a vulnerable Exchange Server could leverage PowerShell to launch remote code execution.
“We are working on an accelerated timeline to release a fix. Until then, we’re providing mitigations and the detections guidance below to help customers protect themselves from these attacks,” Microsoft explained.
Microsoft Exchange Online is not affected.