⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-10-21.

CVE-2022-41040

CWE-918 — Server-Side Request Forgery (SSRF)CWE-269 — Improper Privilege Management26 documents18 sources

Severity

8.8HIGH

EPSS

94.1%

top 0.08%

CISA KEV

KEVRansomware

Added 2022-09-30

Due 2022-10-21

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Microsoft Exchange Server 2016 Cumulative Update 22 Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 +3 more

Timeline

KEV addedSep 30

PublishedOct 3

KEV dueOct 21

Latest updateJun 28

CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5microsoft/microsoft_exchange_server_2013_cumulative_update_2315.00.0 — 15.00.1497.044

▶CVEListV5microsoft/microsoft_exchange_server_2016_cumulative_update_2215.0.0 — 15.01.2375.037

▶CVEListV5microsoft/microsoft_exchange_server_2016_cumulative_update_2315.01.0 — 15.01.2507.016

▶CVEListV5microsoft/microsoft_exchange_server_2019_cumulative_update_1115.02.0 — 15.02.0986.036

▶CVEListV5microsoft/microsoft_exchange_server_2019_cumulative_update_1215.02.0 — 15.02.1118.020

Patches

Patch: msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-6ph7-8wxv-6gf2: Microsoft Exchange Server Elevation of Privilege Vulnerability↗2022-10-04

▶

CVEList

Microsoft Exchange Server Elevation of Privilege Vulnerability↗2022-10-03

▶

VulnCheck

Microsoft Exchange Server Server-Side Request Forgery Vulnerability↗2022

▶

💥Exploits & PoCs

Metasploit

Microsoft Exchange ProxyNotShell RCE↗

▶

🔍Detection Rules

Suricata

ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt - OWASSRF (CVE-2022-41040, CVE-2022-41082)↗2022-12-23

▶

Suricata

ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt (CVE-2022-41040, CVE-2022-41082)↗2022-09-30

▶

📋Vendor Advisories

CISA

Microsoft Exchange Server Server-Side Request Forgery Vulnerability↗2022-09-30

▶

Microsoft

Microsoft Exchange Server Elevation of Privilege Vulnerability↗2022-09-13

▶

🕵️Threat Intelligence

Unit42

Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor↗2023-06-28

▶

Securelist

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange↗2022-12-19

▶

Trendmicro

Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend↗2022-11-16

▶

Trendmicro

Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend↗2022-11-16

▶

Trendmicro

Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend↗2022-11-16

▶

💬Community

HackerOne

mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040↗2022-10-13

▶