2022-09-30
Potentially New Microsoft Exchange Flaw Actively Exploited
Zero-day remote code execution vulnerabilities in Microsoft Exchange servers are being actively exploited, according to researchers from GTSC. The flaws can be chained to deploy web shells on vulnerable servers. The GTSC researchers notified Microsoft of the vulnerabilities three weeks ago via the Zero Day Initiative, which has given them identifiers: ZDI-CAN-18333 and ZDI-CAN-18802.
Editor's Note
Right now, information about this issue is still not complete. But there is a high probability that a new Microsoft Exchange flaw has been abused in the wild to compromise Exchange and install web shells. You should still double check that your Exchange servers are patched, and make sure you have detection rules in place to pick up any post exploit activity.

Johannes Ullrich
The Microsoft guidance for this vulnerability (first link below) two vulnerabilities CVE-2022-41040 is a server side request forgery and CVE-2022-41082 is a RCE flaw which is exploited using power shell. Both flaws require authenticated access and only apply to your on-premises exchange environment. There is not currently a patch so you need to implement the mitigations which include augmenting URL rewrite configuration for your autodiscover service to block known attack patterns and blocking HTTP/HTTPS ports 5895 and 5896. Better still migrate off your on-premises exchange servers.

Lee Neely
Read more in
Microsoft: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
Gteltsc: Warning: New Attack Campaign Utilized a New 0-Day RCE Vulnerability on Microsoft Exchange Server
SC Magazine: New Microsoft Exchange zero-day actively exploited, security firm says
Bleeping Computer: New Microsoft Exchange zero-day actively exploited in attacks
The Register: Stop us if you've heard this one before: Exchange Server zero-day being actively exploited