Vulnerability-Lookup

CVE-2022-41040 (GCVE-0-2022-41040)

Vulnerability from cvelistv5 – Published: 2022-10-03 00:00 – Updated: 2025-10-21 23:15

CISA KEV KEVintel KEV

Title

Microsoft Exchange Server Elevation of Privilege Vulnerability

Summary

Microsoft Exchange Server Elevation of Privilege Vulnerability

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

SSVC

Exploitation: active Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

Elevation of Privilege
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

microsoft

References

6 references

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisory
https://portal.msrc.microsoft.com/en-US/security-…	x_transferred
https://www.kb.cert.org/vuls/id/915563	third-party-advisoryx_transferred
http://packetstormsecurity.com/files/170066/Micro…	x_transferred
https://www.secpod.com/blog/microsoft-november-20…	x_transferred
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

5 products

Vendor	Product	Version
Microsoft	Microsoft Exchange Server 2013 Cumulative Update 23	Affected: 15.00.0 , < 15.00.1497.044 (custom)
Microsoft	Microsoft Exchange Server 2016 Cumulative Update 22	Affected: 15.0.0 , < 15.01.2375.037 (custom)
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 11	Affected: 15.02.0 , < 15.02.0986.036 (custom)
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 12	Affected: 15.02.0 , < 15.02.1118.020 (custom)
Microsoft	Microsoft Exchange Server 2016 Cumulative Update 23	Affected: 15.01.0 , < 15.01.2507.016 (custom)

Date Public

2022-09-30 07:00

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 51242530-97c6-45a1-8bf8-51ba025e0039

Vulnerability ID: CVE-2022-41040

Status: Confirmed

Status Updated: 2022-09-30 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2022-09-30

Asserted: 2022-09-30

Scope

Notes: KEV entry: Microsoft Exchange Server Server-Side Request Forgery Vulnerability | Affected: Microsoft / Exchange Server | Description: Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution. | Required action: Apply updates per vendor instructions. | Due date: 2022-10-21 | Known ransomware campaign use (KEV): Known | Notes (KEV): https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/; https://nvd.nist.gov/vuln/detail/CVE-2022-41040

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-918
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Exchange Server
Due Date	2022-10-21
Date Added	2022-09-30
Vendorproject	Microsoft
Vulnerabilityname	Microsoft Exchange Server Server-Side Request Forgery Vulnerability
Knownransomwarecampaignuse	Known

References

CVE-2022-41040

Created: 2026-02-02 12:27 UTC | Updated: 2026-02-06 07:17 UTC

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 7923ac3d-496d-4715-8790-db8feaf588a4

Vulnerability ID: CVE-2022-41040

Status: Confirmed

Status Updated: 2022-09-30 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2022-09-30

Asserted: 2022-09-30

Scope

Notes: KEVIntel entry: Microsoft Exchange Server Elevation of Privilege Vulnerability | Affected: Microsoft / Microsoft Exchange Server 2013 Cumulative Update 23, Microsoft Exchange Server 2016 Cumulative Update 22, Microsoft Exchange Server 2019 Cumulative Update 11, Microsoft Exchange Server 2019 Cumulative Update 12, Microsoft Exchange Server 2016 Cumulative Update 23 | CVSS: 8.8 (HIGH) | Used in malware: yes | Not yet in CISA KEV: False

Evidence

Type: Public Report

Signal: Confirmed Compromise

Confidence: 70%

Source: kevintel

Details

Feed	KEVIntel (kevintel.com)
Title	Microsoft Exchange Server Elevation of Privilege Vulnerability
Vendor	Microsoft
Product	Microsoft Exchange Server 2013 Cumulative Update 23, Microsoft Exchange Server 2016 Cumulative Update 22, Microsoft Exchange Server 2019 Cumulative Update 11, Microsoft Exchange Server 2019 Cumulative Update 12, Microsoft Exchange Server 2016 Cumulative Update 23
Added Date	2022-09-30T00:00:00.000Z
Cvss Score	8.8
Epss Score	None
Cvss Severity	HIGH
Epss Percentile	None
Used In Malware	yes
Ahead Of Cisa Kev	None
Not Yet In Cisa Kev	False

References

Created: 2026-06-19 12:47 UTC | Updated: 2026-06-19 12:47 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:35:49.189Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040"
          },
          {
            "name": "VU#915563",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/915563"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41040",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-23T21:11:09.910371Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-09-30",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:33.946Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-09-30T00:00:00.000Z",
            "value": "CVE-2022-41040 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2013 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.00.1497.044",
              "status": "affected",
              "version": "15.00.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 22",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2375.037",
              "status": "affected",
              "version": "15.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 11",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.0986.036",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 12",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1118.020",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.016",
              "status": "affected",
              "version": "15.01.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.00.1497.044",
                  "versionStartIncluding": "15.00.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_22:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2375.037",
                  "versionStartIncluding": "15.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_11:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.0986.036",
                  "versionStartIncluding": "15.02.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_12:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1118.020",
                  "versionStartIncluding": "15.02.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.016",
                  "versionStartIncluding": "15.01.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2022-09-30T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Elevation of Privilege",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-11T16:10:48.981Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040"
        }
      ],
      "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2022-41040",
    "datePublished": "2022-10-03T00:00:00.000Z",
    "dateReserved": "2022-09-19T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:33.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-41040",
      "cwes": "[\"CWE-918\"]",
      "dateAdded": "2022-09-30",
      "dueDate": "2022-10-21",
      "knownRansomwareCampaignUse": "Known",
      "notes": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/;  https://nvd.nist.gov/vuln/detail/CVE-2022-41040",
      "product": "Exchange Server",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Microsoft Exchange Server allows for server-side request forgery. Dubbed \"ProxyNotShell,\" this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Exchange Server Server-Side Request Forgery Vulnerability"
    },
    "epss": {
      "cve": "CVE-2022-41040",
      "date": "2026-06-20",
      "epss": "0.99945",
      "percentile": "0.99972"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-10-21",
      "cisaExploitAdd": "2022-09-30",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Microsoft Exchange Server Server-Side Request Forgery Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*\", \"matchCriteriaId\": \"DA166F2A-D83B-4D50-AD0B-668D813E0585\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*\", \"matchCriteriaId\": \"449CE85B-E599-44D3-A7C1-5133F6A55E86\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*\", \"matchCriteriaId\": \"FF76AEDA-E574-40ED-B64F-8FDEF8CAC802\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*\", \"matchCriteriaId\": \"435343A4-BF10-461A-ABF2-D511A5FBDA75\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*\", \"matchCriteriaId\": \"B23C8E3E-5243-4DA6-B9AA-F6053084B55E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Microsoft Exchange Server Elevation of Privilege Vulnerability\"}, {\"lang\": \"es\", \"value\": \"Una Vulnerabilidad de Elevaci\\u00f3n de Privilegios en Microsoft Exchange Server\"}]",
      "id": "CVE-2022-41040",
      "lastModified": "2025-01-02T20:16:00.183",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"secure@microsoft.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2022-10-03T01:15:08.753",
      "references": "[{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.kb.cert.org/vuls/id/915563\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "secure@microsoft.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-41040\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2022-10-03T01:15:08.753\",\"lastModified\":\"2025-10-30T19:36:50.693\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Microsoft Exchange Server Elevation of Privilege Vulnerability\"},{\"lang\":\"es\",\"value\":\"Una Vulnerabilidad de Elevaci\u00f3n de Privilegios en Microsoft Exchange Server\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2022-09-30\",\"cisaActionDue\":\"2022-10-21\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Microsoft Exchange Server Server-Side Request Forgery Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA166F2A-D83B-4D50-AD0B-668D813E0585\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*\",\"matchCriteriaId\":\"449CE85B-E599-44D3-A7C1-5133F6A55E86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF76AEDA-E574-40ED-B64F-8FDEF8CAC802\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*\",\"matchCriteriaId\":\"435343A4-BF10-461A-ABF2-D511A5FBDA75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*\",\"matchCriteriaId\":\"B23C8E3E-5243-4DA6-B9AA-F6053084B55E\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/915563\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.kb.cert.org/vuls/id/915563\", \"name\": \"VU#915563\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:35:49.189Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-41040\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-23T21:11:09.910371Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-09-30\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-09-30T00:00:00.000Z\", \"value\": \"CVE-2022-41040 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918 Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T18:34:35.585Z\"}}], \"cna\": {\"title\": \"Microsoft Exchange Server Elevation of Privilege Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Microsoft\", \"product\": \"Microsoft Exchange Server 2013 Cumulative Update 23\", \"versions\": [{\"status\": \"affected\", \"version\": \"15.00.0\", \"lessThan\": \"15.00.1497.044\", \"versionType\": \"custom\"}], \"platforms\": [\"x64-based Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Exchange Server 2016 Cumulative Update 22\", \"versions\": [{\"status\": \"affected\", \"version\": \"15.0.0\", \"lessThan\": \"15.01.2375.037\", \"versionType\": \"custom\"}], \"platforms\": [\"x64-based Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Exchange Server 2019 Cumulative Update 11\", \"versions\": [{\"status\": \"affected\", \"version\": \"15.02.0\", \"lessThan\": \"15.02.0986.036\", \"versionType\": \"custom\"}], \"platforms\": [\"x64-based Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Exchange Server 2019 Cumulative Update 12\", \"versions\": [{\"status\": \"affected\", \"version\": \"15.02.0\", \"lessThan\": \"15.02.1118.020\", \"versionType\": \"custom\"}], \"platforms\": [\"x64-based Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Exchange Server 2016 Cumulative Update 23\", \"versions\": [{\"status\": \"affected\", \"version\": \"15.01.0\", \"lessThan\": \"15.01.2507.016\", \"versionType\": \"custom\"}], \"platforms\": [\"x64-based Systems\"]}], \"datePublic\": \"2022-09-30T07:00:00.000Z\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040\", \"name\": \"Microsoft Exchange Server Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Microsoft Exchange Server Elevation of Privilege Vulnerability\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"Impact\", \"description\": \"Elevation of Privilege\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_23:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"15.00.1497.044\", \"versionStartIncluding\": \"15.00.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_22:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"15.01.2375.037\", \"versionStartIncluding\": \"15.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_11:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"15.02.0986.036\", \"versionStartIncluding\": \"15.02.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_12:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"15.02.1118.020\", \"versionStartIncluding\": \"15.02.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_23:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"15.01.2507.016\", \"versionStartIncluding\": \"15.01.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2025-03-11T16:10:48.981Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-41040\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:15:33.946Z\", \"dateReserved\": \"2022-09-19T00:00:00.000Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2022-10-03T00:00:00.000Z\", \"assignerShortName\": \"microsoft\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2022-ALE-008

Vulnerability from certfr_alerte - Published: - Updated:

[Mise à jour du 09 novembre 2022] L'éditeur a publié un correctif (cf. section solution).

En date du 29 septembre 2022, Microsoft a indiqué l'existence de deux vulnérabilités, de type zéro-jour, au sein de Windows Exchange 2013, 2016 et 2019.

Ces vulnérabilités sont les suivantes :

CVE-2022-41040 : Vulnérabilité de type injection de requêtes forgées côté serveur (Server Side Request Forgery, SSRF) exploitable par un attaquant authentifié ;
CVE-2022-41082 : Vulnérabilité permettant à un attaquant authentifié d'exécuter du code arbitraire à distance.

Dans le cadre d'une attaque, la CVE-2022-41040 peut permettre à un attaquant d'exploiter à distance la CVE-2022-41082. Selon l'éditeur, ces deux vulnérabilités ne sont exploitables que si l'attaquant est déjà authentifié. Un correctif spécifique est en cours de développement par Microsoft.

Ces vulnérabilités doivent faire l'objet d'une prise en compte immédiate, car elles ont été utilisées dans le cadre d'attaques ciblées. Le CERT-FR n'a pour le moment pas connaissance des conditions ayant permis aux attaquants d'obtenir un accès authentifié sur les serveurs ciblés.

Le CERT-FR a connaissance de codes d'exploitation publics pour la CVE-2022-41040.

Le CERT-FR a connaissance d'incidents en France impliquant l'exploitation de ces vulnérabilités.

Contournement provisoire

En attendant la publication des correctifs, le CERT-FR recommande d'appliquer immédiatement les mesures d'atténuation proposées par Microsoft [1].

L'éditeur recommande fortement de désactiver l’accès à PowerShell à distance pour les utilisateurs non administrateurs [3]. Le CERT-FR recommande l'application de cette contre-mesure car il s'agit de la protection la plus efficace identifiée à ce jour. Il conviendra de tester la configuration afin d'identifier les éventuels effets de bord sur les procédures automatisées basées sur Powershell.

Par ailleurs, et de façon complémentaire, Microsoft a publié un code PowerShell permettant d'appliquer les mesures d'atténuation pour la CVE-2022-41040 (réécriture de l'URL) [2]. De plus, une mise à jour de l'outil EEMS (Exchange Emergency Mitigation Service), ainsi que des éléments pour l'outil AMSI (AntiMalware Scan Interface) ont été proposés par Microsoft.

Le code PowerShell de Microsoft permettant d'appliquer la mesure d'atténuation via le module URL Rewrite a été mis à jour pour renforcer son efficacité contre des variations de la requête malveillante initialement observée [2]. Afin d'appliquer cette modification, il est nécessaire de télécharger puis relancer ce nouveau code ou modifier directement la règle dans le module URL Rewrite avec la valeur suivante : ".*autodiscover\.json.*Powershell.*".

Afin de prévenir tout type de coutournement de la règle ".*autodiscover\.json.*Powershell.*" par le biais d'encodage, le CERT-FR rappelle qu'il faut modifier la condition d'entrée de la règle susmentionnée avec la valeur suivante : {UrlDecode:{REQUEST_URI}}. Pour plus d'informations, veuillez-vous référer à l'étape 10 du blog de Microsoft [1].

Le Microsoft Patch Tuesday du 11 octobre 2022 ne propose aucun correctif pour ces vulnérabilités. Il est essentiel de maintenir l'application des contournements mentionnés ci-avant.

Détection

Le billet de blogue de l'éditeur documente quelques éléments d'aide à la détection de ces vulnérabilités [1].

Le CERT-FR recommande de réaliser une analyse approfondie des journaux réseau des serveurs IIS (sauvegardés par défaut dans le dossier : %SystemDrive%\inetpub\logs\LogFiles). Les commandes suivantes permettent d'identifier une exploitation de la vulnérabilité CVE-2022-41040 :

sur un système Windows : Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern '/powershell.*autodiscover.json.*200';
sur un système Linux : cat <Path_IIS_Logs>/*.log | grep -i -e '/powershell.*autodiscover.json.*200'.

Si une répartition de charge (load-balancing) est mise en œuvre, ces commandes doivent être appliquées sur les journaux de chacun des nœuds. Il est possible d'identifier une exploitation réussie de la CVE-2022-41040 si, à la suite de la première requête, une seconde requête HTTP de type POST commençant par le motif : /PowerShell a été exécutée par le serveur. Dans ce cas là, une analyse forensique des serveurs Exchange doit être engagée.

En cas de suspicion de compromission, les bons réflexes en cas d'intrusion sur votre système d'information sont rappelés ici.

Solution

[Mise à jour du 09 novembre 2022] Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation [4]).

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Exchange Serveur 2013 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2016 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2019 toutes versions

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft	2022-09-29	vendor-advisory
[mise à jour] Avis CERTFR-2022-AVI-876 du 03 octobre 2022	-	other
[1] Billet de blog Microsoft du 29 septembre 2022	-	other
[2] Code powershell appliquant les mesures d'atténuation	-	other
[3] Documentation du contrôle d'accès PowerShell à distance	-	other
Les bons réflexes en cas d’intrusion sur un système d’information	-	other
[4] Avis Microsoft du 08 novembre 2022	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Exchange Serveur 2013 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2016 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2019 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": "2023-03-14",
  "content": "\n## Contournement provisoire\n\nEn attendant la publication des correctifs, le CERT-FR recommande\nd\u0027appliquer imm\u00e9diatement les mesures d\u0027att\u00e9nuation propos\u00e9es par\nMicrosoft \\[1\\].\n\nL\u0027\u00e9diteur recommande fortement de d\u00e9sactiver l\u2019acc\u00e8s \u00e0 PowerShell \u00e0\ndistance pour les utilisateurs non administrateurs \\[3\\]. **Le CERT-FR\nrecommande l\u0027application de cette contre-mesure** car il s\u0027agit de la\nprotection \u003cu\u003ela plus efficace\u003c/u\u003e identifi\u00e9e \u00e0 ce jour. Il conviendra\nde tester la configuration afin d\u0027identifier les \u00e9ventuels effets de\nbord sur les proc\u00e9dures automatis\u00e9es bas\u00e9es sur Powershell.\n\nPar ailleurs, et de fa\u00e7on compl\u00e9mentaire, Microsoft a publi\u00e9 un code\nPowerShell permettant d\u0027appliquer les mesures d\u0027att\u00e9nuation pour la\nCVE-2022-41040 (r\u00e9\u00e9criture de l\u0027URL) \\[2\\]. De plus, une mise \u00e0 jour de\nl\u0027outil *EEMS* (*Exchange Emergency Mitigation Service*), ainsi que des\n\u00e9l\u00e9ments pour l\u0027outil *AMSI* (*AntiMalware Scan Interface*) ont \u00e9t\u00e9\npropos\u00e9s par Microsoft.\n\nLe code PowerShell de Microsoft permettant d\u0027appliquer la mesure\nd\u0027att\u00e9nuation *via* le module *URL Rewrite* a \u00e9t\u00e9 mis \u00e0 jour pour\nrenforcer son efficacit\u00e9 contre des variations de la requ\u00eate\nmalveillante initialement observ\u00e9e \\[2\\]. Afin d\u0027appliquer cette\nmodification, il est n\u00e9cessaire de t\u00e9l\u00e9charger puis relancer ce nouveau\ncode ou modifier directement la r\u00e8gle dans le module *URL Rewrite* avec\nla valeur suivante : \"`.*autodiscover\\.json.*Powershell.*`\".\n\nAfin de pr\u00e9venir tout type de coutournement de la r\u00e8gle\n\"`.*autodiscover\\.json.*Powershell.*`\" par le biais d\u0027encodage, le\nCERT-FR rappelle qu\u0027il faut modifier la condition d\u0027entr\u00e9e de la r\u00e8gle\nsusmentionn\u00e9e avec la valeur suivante :\u00a0 `{UrlDecode:{REQUEST_URI}}`.\nPour plus d\u0027informations, veuillez-vous r\u00e9f\u00e9rer \u00e0 l\u0027\u00e9tape 10 du blog de\nMicrosoft \\[1\\].\n\nLe *Microsoft Patch Tuesday* du 11 octobre 2022 ne propose \u003cu\u003eaucun\ncorrectif\u003c/u\u003e pour ces vuln\u00e9rabilit\u00e9s. Il est essentiel de maintenir\nl\u0027application des contournements mentionn\u00e9s ci-avant.\n\n## D\u00e9tection\n\nLe billet de blogue de l\u0027\u00e9diteur documente quelques \u00e9l\u00e9ments d\u0027aide \u00e0 la\nd\u00e9tection de ces vuln\u00e9rabilit\u00e9s \\[1\\].\n\nLe CERT-FR recommande de r\u00e9aliser une analyse approfondie des journaux\nr\u00e9seau des serveurs IIS (sauvegard\u00e9s par d\u00e9faut dans le dossier :\n%SystemDrive%\\\\inetpub\\\\logs\\\\LogFiles). Les commandes suivantes\npermettent d\u0027identifier une exploitation de la vuln\u00e9rabilit\u00e9\nCVE-2022-41040\u00a0 :\n\n-   sur un syst\u00e8me Windows :\n    `Get-ChildItem -Recurse -Path \u003cPath_IIS_Logs\u003e -Filter \"*.log\" | Select-String -Pattern \u0027/powershell.*autodiscover.json.*200\u0027`;\n-   sur un syst\u00e8me Linux :\n    `cat \u003cPath_IIS_Logs\u003e/*.log | grep -i -e \u0027/powershell.*autodiscover.json.*200\u0027`.\n\nSi une r\u00e9partition de charge (*load-balancing*) est mise en \u0153uvre, ces\ncommandes doivent \u00eatre appliqu\u00e9es sur les journaux de chacun des n\u0153uds.\nIl est possible d\u0027identifier une exploitation r\u00e9ussie de la\nCVE-2022-41040 si, \u00e0 la suite de la premi\u00e8re requ\u00eate, une seconde\nrequ\u00eate *HTTP* de type POST commen\u00e7ant par le motif : `/PowerShell` a\n\u00e9t\u00e9 ex\u00e9cut\u00e9e par le serveur. Dans ce cas l\u00e0, une analyse forensique des\nserveurs Exchange doit \u00eatre engag\u00e9e.\n\nEn cas de suspicion de compromission, les bons r\u00e9flexes en cas\nd\u0027intrusion sur votre syst\u00e8me d\u0027information sont rappel\u00e9s\n[ici](/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/).\n\n## Solution\n\n\u003cspan style=\"color: #ff0000;\"\u003e\\[Mise \u00e0 jour du 09 novembre 2022\\]\n\u003c/span\u003eSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour\nl\u0027obtention des correctifs (cf. section Documentation \\[4\\]).\n",
  "cves": [
    {
      "name": "CVE-2022-41040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41040"
    },
    {
      "name": "CVE-2022-41082",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41082"
    }
  ],
  "links": [
    {
      "title": "[mise \u00e0 jour] Avis CERTFR-2022-AVI-876 du 03 octobre 2022",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2022-AVI-876/"
    },
    {
      "title": "[1] Billet de blog Microsoft du 29 septembre 2022",
      "url": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"
    },
    {
      "title": "[2] Code powershell appliquant les mesures d\u0027att\u00e9nuation",
      "url": "https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/"
    },
    {
      "title": "[3] Documentation du contr\u00f4le d\u0027acc\u00e8s PowerShell \u00e0 distance",
      "url": "https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps\u0026viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user"
    },
    {
      "title": "Les bons r\u00e9flexes en cas d\u2019intrusion sur un syst\u00e8me d\u2019information",
      "url": "https://www.cert.ssi.gouv.fr/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/"
    },
    {
      "title": "[4] Avis Microsoft du 08 novembre 2022",
      "url": "https://support.microsoft.com/fr-fr/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d"
    }
  ],
  "reference": "CERTFR-2022-ALE-008",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-09-30T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour suite \u00e0 l\u0027identification de codes d\u0027exploitation",
      "revision_date": "2022-10-03T00:00:00.000000"
    },
    {
      "description": "Recommandation concernant les contournements",
      "revision_date": "2022-10-04T00:00:00.000000"
    },
    {
      "description": "Ajout d\u0027\u00e9l\u00e9ments de d\u00e9tection pour la CVE-2022-41040",
      "revision_date": "2022-10-05T00:00:00.000000"
    },
    {
      "description": "Ajout d\u0027\u00e9l\u00e9ments afin d\u0027\u00e9viter les contournements li\u00e9s \u00e0 l\u0027encodage",
      "revision_date": "2022-10-07T00:00:00.000000"
    },
    {
      "description": "Identification d\u0027incidents li\u00e9s \u00e0 l\u0027exploitation de cette vuln\u00e9rabilit\u00e9.",
      "revision_date": "2022-10-07T00:00:00.000000"
    },
    {
      "description": "Clarification concernant les codes d\u0027exploitation",
      "revision_date": "2022-10-11T00:00:00.000000"
    },
    {
      "description": "le Patch Tuesday ne propose aucun correctif. Maintenir les contournements en place.",
      "revision_date": "2022-10-12T00:00:00.000000"
    },
    {
      "description": "Publication du correctif dans le cadre du Patch Tuesday du 08 novembre 2022",
      "revision_date": "2022-11-09T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2023-03-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "\u003cspan style=\"color: #ff0000;\"\u003e\u003cstrong\u003e\\[Mise \u00e0 jour du 09 novembre 2022\\]\u003c/strong\u003e\n\u003c/span\u003eL\u0027\u00e9diteur a publi\u00e9 un correctif (cf. section solution).\n\nEn date du 29 septembre 2022, Microsoft a indiqu\u00e9 l\u0027existence de deux\nvuln\u00e9rabilit\u00e9s, de type z\u00e9ro-jour, au sein de Windows Exchange 2013,\n2016 et 2019.\n\nCes vuln\u00e9rabilit\u00e9s sont les suivantes :\n\n-   CVE-2022-41040 : Vuln\u00e9rabilit\u00e9 de type injection de requ\u00eates forg\u00e9es\n    c\u00f4t\u00e9 serveur (*Server Side Request Forgery, SSRF*) exploitable par\n    un attaquant authentifi\u00e9 ;\n-   CVE-2022-41082 : Vuln\u00e9rabilit\u00e9 permettant \u00e0 un attaquant authentifi\u00e9\n    d\u0027ex\u00e9cuter du code arbitraire \u00e0 distance.\n\nDans le cadre d\u0027une attaque, la CVE-2022-41040 peut permettre \u00e0 un\nattaquant d\u0027exploiter \u00e0 distance la CVE-2022-41082. Selon l\u0027\u00e9diteur, ces\ndeux vuln\u00e9rabilit\u00e9s ne sont exploitables que si l\u0027attaquant est d\u00e9j\u00e0\n\u003cstrong\u003eauthentifi\u00e9\u003c/strong\u003e. Un correctif sp\u00e9cifique est en cours de d\u00e9veloppement\npar Microsoft.\n\nCes vuln\u00e9rabilit\u00e9s doivent faire l\u0027objet d\u0027une prise en compte\nimm\u00e9diate, car elles ont \u00e9t\u00e9 utilis\u00e9es dans le cadre d\u0027attaques cibl\u00e9es.\nLe CERT-FR n\u0027a pour le moment pas connaissance des conditions ayant\npermis aux attaquants d\u0027obtenir un acc\u00e8s authentifi\u00e9 sur les serveurs\ncibl\u00e9s.\n\nLe CERT-FR a connaissance de codes d\u0027exploitation publics pour la\nCVE-2022-41040.\n\n\u003cspan style=\"color: #000000;\"\u003e\u003cspan\nclass=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\nclass=\"mx_EventTile_body\" dir=\"auto\"\u003eLe CERT-FR a connaissance\nd\u0027incidents en France impliquant l\u0027exploitation de ces\nvuln\u00e9rabilit\u00e9s.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\n",
  "title": "[MaJ] Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Exchange",
  "vendor_advisories": [
    {
      "published_at": "2022-09-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft",
      "url": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"
    }
  ]
}

CERTFR-2022-ALE-008

Vulnerability from certfr_alerte - Published: - Updated:

[Mise à jour du 09 novembre 2022] L'éditeur a publié un correctif (cf. section solution).

En date du 29 septembre 2022, Microsoft a indiqué l'existence de deux vulnérabilités, de type zéro-jour, au sein de Windows Exchange 2013, 2016 et 2019.

Ces vulnérabilités sont les suivantes :

CVE-2022-41040 : Vulnérabilité de type injection de requêtes forgées côté serveur (Server Side Request Forgery, SSRF) exploitable par un attaquant authentifié ;
CVE-2022-41082 : Vulnérabilité permettant à un attaquant authentifié d'exécuter du code arbitraire à distance.

Le CERT-FR a connaissance de codes d'exploitation publics pour la CVE-2022-41040.

Le CERT-FR a connaissance d'incidents en France impliquant l'exploitation de ces vulnérabilités.

Contournement provisoire

En attendant la publication des correctifs, le CERT-FR recommande d'appliquer immédiatement les mesures d'atténuation proposées par Microsoft [1].

Le Microsoft Patch Tuesday du 11 octobre 2022 ne propose aucun correctif pour ces vulnérabilités. Il est essentiel de maintenir l'application des contournements mentionnés ci-avant.

Détection

Le billet de blogue de l'éditeur documente quelques éléments d'aide à la détection de ces vulnérabilités [1].

sur un système Windows : Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern '/powershell.*autodiscover.json.*200';
sur un système Linux : cat <Path_IIS_Logs>/*.log | grep -i -e '/powershell.*autodiscover.json.*200'.

En cas de suspicion de compromission, les bons réflexes en cas d'intrusion sur votre système d'information sont rappelés ici.

Solution

[Mise à jour du 09 novembre 2022] Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation [4]).

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Exchange Serveur 2013 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2016 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2019 toutes versions

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft	2022-09-29	vendor-advisory
[mise à jour] Avis CERTFR-2022-AVI-876 du 03 octobre 2022	-	other
[1] Billet de blog Microsoft du 29 septembre 2022	-	other
[2] Code powershell appliquant les mesures d'atténuation	-	other
[3] Documentation du contrôle d'accès PowerShell à distance	-	other
Les bons réflexes en cas d’intrusion sur un système d’information	-	other
[4] Avis Microsoft du 08 novembre 2022	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Exchange Serveur 2013 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2016 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2019 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": "2023-03-14",
  "content": "\n## Contournement provisoire\n\nEn attendant la publication des correctifs, le CERT-FR recommande\nd\u0027appliquer imm\u00e9diatement les mesures d\u0027att\u00e9nuation propos\u00e9es par\nMicrosoft \\[1\\].\n\nL\u0027\u00e9diteur recommande fortement de d\u00e9sactiver l\u2019acc\u00e8s \u00e0 PowerShell \u00e0\ndistance pour les utilisateurs non administrateurs \\[3\\]. **Le CERT-FR\nrecommande l\u0027application de cette contre-mesure** car il s\u0027agit de la\nprotection \u003cu\u003ela plus efficace\u003c/u\u003e identifi\u00e9e \u00e0 ce jour. Il conviendra\nde tester la configuration afin d\u0027identifier les \u00e9ventuels effets de\nbord sur les proc\u00e9dures automatis\u00e9es bas\u00e9es sur Powershell.\n\nPar ailleurs, et de fa\u00e7on compl\u00e9mentaire, Microsoft a publi\u00e9 un code\nPowerShell permettant d\u0027appliquer les mesures d\u0027att\u00e9nuation pour la\nCVE-2022-41040 (r\u00e9\u00e9criture de l\u0027URL) \\[2\\]. De plus, une mise \u00e0 jour de\nl\u0027outil *EEMS* (*Exchange Emergency Mitigation Service*), ainsi que des\n\u00e9l\u00e9ments pour l\u0027outil *AMSI* (*AntiMalware Scan Interface*) ont \u00e9t\u00e9\npropos\u00e9s par Microsoft.\n\nLe code PowerShell de Microsoft permettant d\u0027appliquer la mesure\nd\u0027att\u00e9nuation *via* le module *URL Rewrite* a \u00e9t\u00e9 mis \u00e0 jour pour\nrenforcer son efficacit\u00e9 contre des variations de la requ\u00eate\nmalveillante initialement observ\u00e9e \\[2\\]. Afin d\u0027appliquer cette\nmodification, il est n\u00e9cessaire de t\u00e9l\u00e9charger puis relancer ce nouveau\ncode ou modifier directement la r\u00e8gle dans le module *URL Rewrite* avec\nla valeur suivante : \"`.*autodiscover\\.json.*Powershell.*`\".\n\nAfin de pr\u00e9venir tout type de coutournement de la r\u00e8gle\n\"`.*autodiscover\\.json.*Powershell.*`\" par le biais d\u0027encodage, le\nCERT-FR rappelle qu\u0027il faut modifier la condition d\u0027entr\u00e9e de la r\u00e8gle\nsusmentionn\u00e9e avec la valeur suivante :\u00a0 `{UrlDecode:{REQUEST_URI}}`.\nPour plus d\u0027informations, veuillez-vous r\u00e9f\u00e9rer \u00e0 l\u0027\u00e9tape 10 du blog de\nMicrosoft \\[1\\].\n\nLe *Microsoft Patch Tuesday* du 11 octobre 2022 ne propose \u003cu\u003eaucun\ncorrectif\u003c/u\u003e pour ces vuln\u00e9rabilit\u00e9s. Il est essentiel de maintenir\nl\u0027application des contournements mentionn\u00e9s ci-avant.\n\n## D\u00e9tection\n\nLe billet de blogue de l\u0027\u00e9diteur documente quelques \u00e9l\u00e9ments d\u0027aide \u00e0 la\nd\u00e9tection de ces vuln\u00e9rabilit\u00e9s \\[1\\].\n\nLe CERT-FR recommande de r\u00e9aliser une analyse approfondie des journaux\nr\u00e9seau des serveurs IIS (sauvegard\u00e9s par d\u00e9faut dans le dossier :\n%SystemDrive%\\\\inetpub\\\\logs\\\\LogFiles). Les commandes suivantes\npermettent d\u0027identifier une exploitation de la vuln\u00e9rabilit\u00e9\nCVE-2022-41040\u00a0 :\n\n-   sur un syst\u00e8me Windows :\n    `Get-ChildItem -Recurse -Path \u003cPath_IIS_Logs\u003e -Filter \"*.log\" | Select-String -Pattern \u0027/powershell.*autodiscover.json.*200\u0027`;\n-   sur un syst\u00e8me Linux :\n    `cat \u003cPath_IIS_Logs\u003e/*.log | grep -i -e \u0027/powershell.*autodiscover.json.*200\u0027`.\n\nSi une r\u00e9partition de charge (*load-balancing*) est mise en \u0153uvre, ces\ncommandes doivent \u00eatre appliqu\u00e9es sur les journaux de chacun des n\u0153uds.\nIl est possible d\u0027identifier une exploitation r\u00e9ussie de la\nCVE-2022-41040 si, \u00e0 la suite de la premi\u00e8re requ\u00eate, une seconde\nrequ\u00eate *HTTP* de type POST commen\u00e7ant par le motif : `/PowerShell` a\n\u00e9t\u00e9 ex\u00e9cut\u00e9e par le serveur. Dans ce cas l\u00e0, une analyse forensique des\nserveurs Exchange doit \u00eatre engag\u00e9e.\n\nEn cas de suspicion de compromission, les bons r\u00e9flexes en cas\nd\u0027intrusion sur votre syst\u00e8me d\u0027information sont rappel\u00e9s\n[ici](/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/).\n\n## Solution\n\n\u003cspan style=\"color: #ff0000;\"\u003e\\[Mise \u00e0 jour du 09 novembre 2022\\]\n\u003c/span\u003eSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour\nl\u0027obtention des correctifs (cf. section Documentation \\[4\\]).\n",
  "cves": [
    {
      "name": "CVE-2022-41040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41040"
    },
    {
      "name": "CVE-2022-41082",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41082"
    }
  ],
  "links": [
    {
      "title": "[mise \u00e0 jour] Avis CERTFR-2022-AVI-876 du 03 octobre 2022",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2022-AVI-876/"
    },
    {
      "title": "[1] Billet de blog Microsoft du 29 septembre 2022",
      "url": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"
    },
    {
      "title": "[2] Code powershell appliquant les mesures d\u0027att\u00e9nuation",
      "url": "https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/"
    },
    {
      "title": "[3] Documentation du contr\u00f4le d\u0027acc\u00e8s PowerShell \u00e0 distance",
      "url": "https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps\u0026viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user"
    },
    {
      "title": "Les bons r\u00e9flexes en cas d\u2019intrusion sur un syst\u00e8me d\u2019information",
      "url": "https://www.cert.ssi.gouv.fr/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/"
    },
    {
      "title": "[4] Avis Microsoft du 08 novembre 2022",
      "url": "https://support.microsoft.com/fr-fr/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d"
    }
  ],
  "reference": "CERTFR-2022-ALE-008",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-09-30T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour suite \u00e0 l\u0027identification de codes d\u0027exploitation",
      "revision_date": "2022-10-03T00:00:00.000000"
    },
    {
      "description": "Recommandation concernant les contournements",
      "revision_date": "2022-10-04T00:00:00.000000"
    },
    {
      "description": "Ajout d\u0027\u00e9l\u00e9ments de d\u00e9tection pour la CVE-2022-41040",
      "revision_date": "2022-10-05T00:00:00.000000"
    },
    {
      "description": "Ajout d\u0027\u00e9l\u00e9ments afin d\u0027\u00e9viter les contournements li\u00e9s \u00e0 l\u0027encodage",
      "revision_date": "2022-10-07T00:00:00.000000"
    },
    {
      "description": "Identification d\u0027incidents li\u00e9s \u00e0 l\u0027exploitation de cette vuln\u00e9rabilit\u00e9.",
      "revision_date": "2022-10-07T00:00:00.000000"
    },
    {
      "description": "Clarification concernant les codes d\u0027exploitation",
      "revision_date": "2022-10-11T00:00:00.000000"
    },
    {
      "description": "le Patch Tuesday ne propose aucun correctif. Maintenir les contournements en place.",
      "revision_date": "2022-10-12T00:00:00.000000"
    },
    {
      "description": "Publication du correctif dans le cadre du Patch Tuesday du 08 novembre 2022",
      "revision_date": "2022-11-09T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2023-03-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "\u003cspan style=\"color: #ff0000;\"\u003e\u003cstrong\u003e\\[Mise \u00e0 jour du 09 novembre 2022\\]\u003c/strong\u003e\n\u003c/span\u003eL\u0027\u00e9diteur a publi\u00e9 un correctif (cf. section solution).\n\nEn date du 29 septembre 2022, Microsoft a indiqu\u00e9 l\u0027existence de deux\nvuln\u00e9rabilit\u00e9s, de type z\u00e9ro-jour, au sein de Windows Exchange 2013,\n2016 et 2019.\n\nCes vuln\u00e9rabilit\u00e9s sont les suivantes :\n\n-   CVE-2022-41040 : Vuln\u00e9rabilit\u00e9 de type injection de requ\u00eates forg\u00e9es\n    c\u00f4t\u00e9 serveur (*Server Side Request Forgery, SSRF*) exploitable par\n    un attaquant authentifi\u00e9 ;\n-   CVE-2022-41082 : Vuln\u00e9rabilit\u00e9 permettant \u00e0 un attaquant authentifi\u00e9\n    d\u0027ex\u00e9cuter du code arbitraire \u00e0 distance.\n\nDans le cadre d\u0027une attaque, la CVE-2022-41040 peut permettre \u00e0 un\nattaquant d\u0027exploiter \u00e0 distance la CVE-2022-41082. Selon l\u0027\u00e9diteur, ces\ndeux vuln\u00e9rabilit\u00e9s ne sont exploitables que si l\u0027attaquant est d\u00e9j\u00e0\n\u003cstrong\u003eauthentifi\u00e9\u003c/strong\u003e. Un correctif sp\u00e9cifique est en cours de d\u00e9veloppement\npar Microsoft.\n\nCes vuln\u00e9rabilit\u00e9s doivent faire l\u0027objet d\u0027une prise en compte\nimm\u00e9diate, car elles ont \u00e9t\u00e9 utilis\u00e9es dans le cadre d\u0027attaques cibl\u00e9es.\nLe CERT-FR n\u0027a pour le moment pas connaissance des conditions ayant\npermis aux attaquants d\u0027obtenir un acc\u00e8s authentifi\u00e9 sur les serveurs\ncibl\u00e9s.\n\nLe CERT-FR a connaissance de codes d\u0027exploitation publics pour la\nCVE-2022-41040.\n\n\u003cspan style=\"color: #000000;\"\u003e\u003cspan\nclass=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\nclass=\"mx_EventTile_body\" dir=\"auto\"\u003eLe CERT-FR a connaissance\nd\u0027incidents en France impliquant l\u0027exploitation de ces\nvuln\u00e9rabilit\u00e9s.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\n",
  "title": "[MaJ] Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Exchange",
  "vendor_advisories": [
    {
      "published_at": "2022-09-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft",
      "url": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"
    }
  ]
}

CERTFR-2022-AVI-876

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Microsoft Exchange Server. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Exchange Serveur 2013 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2016 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2019 toutes versions

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft Exchange Server du 30 septembre 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Exchange Serveur 2013 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2016 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2019 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-41040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41040"
    },
    {
      "name": "CVE-2022-41082",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41082"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-876",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-10-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Exchange\nServer. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Exchange Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft Exchange Server du 30 septembre 2022",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040"
    }
  ]
}

CERTFR-2022-AVI-876

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Exchange Serveur 2013 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2016 toutes versions
Microsoft	N/A	Microsoft Exchange Serveur 2019 toutes versions

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft Exchange Server du 30 septembre 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Exchange Serveur 2013 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2016 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Serveur 2019 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-41040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41040"
    },
    {
      "name": "CVE-2022-41082",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41082"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-876",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-10-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Exchange\nServer. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Exchange Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft Exchange Server du 30 septembre 2022",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040"
    }
  ]
}

BDU:2022-06032

Vulnerability from fstec - Published: 30.09.2022

Title

Уязвимость почтового сервера Microsoft Exchange Server, связанная с ошибками при обработке вводимых данных в OWA-интерфейсе, позволяющая нарушителю осуществить SSRF-атаку

Description

Уязвимость почтового сервера Microsoft Exchange Server связана с ошибками при обработке вводимых данных в OWA-интерфейсе. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, осуществить SSRF-атаку

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Microsoft Corp

Software Name

Microsoft Exchange Server

Software Version

2016 (Microsoft Exchange Server), 2013 (Microsoft Exchange Server), 2019 (Microsoft Exchange Server)

Possible Mitigations

Компенсирующие меры: - выполнение следующих шагов: 1. Открыть диспетчер IIS. 2. Развернуть веб-сайт по умолчанию. 3. Выбрать «Автообнаружение». 4. В представлении функций нажать «Перезаписать URL». 5. На панели «Действия» справа нажать «Добавить правила». 6. Выбрать «Блокировка запроса» и нажать «ОК». 7. Добавить строку «.*autodiscover\.json.*\@.*Powershell.*» (без кавычек) и нажать «ОК». 8. Развернуть правило и выбрать правило с шаблоном «.*autodiscover\.json.*\@.*Powershell.*» и нажать «Изменить» в разделе «Условия». Изменить ввод условия с {URL} на {REQUEST_URI}. Для проверки компрометации сервера запустить следующую команду PowerShell: Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200' Использование рекомендаций: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Reference

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html

CWE

CWE-918

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Microsoft Corp",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "2016 (Microsoft Exchange Server), 2013 (Microsoft Exchange Server), 2019 (Microsoft Exchange Server)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u0448\u0430\u0433\u043e\u0432:\n1. \u041e\u0442\u043a\u0440\u044b\u0442\u044c \u0434\u0438\u0441\u043f\u0435\u0442\u0447\u0435\u0440 IIS.\n2. \u0420\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u0442\u044c \u0432\u0435\u0431-\u0441\u0430\u0439\u0442 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e.\n3. \u0412\u044b\u0431\u0440\u0430\u0442\u044c \u00ab\u0410\u0432\u0442\u043e\u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435\u00bb.\n4. \u0412 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0438 \u0444\u0443\u043d\u043a\u0446\u0438\u0439 \u043d\u0430\u0436\u0430\u0442\u044c \u00ab\u041f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0430\u0442\u044c URL\u00bb.\n5. \u041d\u0430 \u043f\u0430\u043d\u0435\u043b\u0438 \u00ab\u0414\u0435\u0439\u0441\u0442\u0432\u0438\u044f\u00bb \u0441\u043f\u0440\u0430\u0432\u0430 \u043d\u0430\u0436\u0430\u0442\u044c \u00ab\u0414\u043e\u0431\u0430\u0432\u0438\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u0430\u00bb.\n6. \u0412\u044b\u0431\u0440\u0430\u0442\u044c \u00ab\u0411\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0430 \u0437\u0430\u043f\u0440\u043e\u0441\u0430\u00bb \u0438 \u043d\u0430\u0436\u0430\u0442\u044c \u00ab\u041e\u041a\u00bb.\n7. \u0414\u043e\u0431\u0430\u0432\u0438\u0442\u044c \u0441\u0442\u0440\u043e\u043a\u0443 \u00ab.*autodiscover\\.json.*\\@.*Powershell.*\u00bb (\u0431\u0435\u0437 \u043a\u0430\u0432\u044b\u0447\u0435\u043a) \u0438 \u043d\u0430\u0436\u0430\u0442\u044c \u00ab\u041e\u041a\u00bb.\n8. \u0420\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u043e \u0438 \u0432\u044b\u0431\u0440\u0430\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u043e \u0441 \u0448\u0430\u0431\u043b\u043e\u043d\u043e\u043c \u00ab.*autodiscover\\.json.*\\@.*Powershell.*\u00bb \u0438 \u043d\u0430\u0436\u0430\u0442\u044c \u00ab\u0418\u0437\u043c\u0435\u043d\u0438\u0442\u044c\u00bb \u0432 \u0440\u0430\u0437\u0434\u0435\u043b\u0435 \u00ab\u0423\u0441\u043b\u043e\u0432\u0438\u044f\u00bb.\n\u0418\u0437\u043c\u0435\u043d\u0438\u0442\u044c \u0432\u0432\u043e\u0434 \u0443\u0441\u043b\u043e\u0432\u0438\u044f \u0441 {URL} \u043d\u0430 {REQUEST_URI}.\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0430\u0446\u0438\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443 PowerShell:\nGet-ChildItem -Recurse -Path \u003cPath_IIS_Logs\u003e -Filter \"*.log\" | Select-String -Pattern \u0027powershell.*autodiscover\\.json.*\\@.*200\u0027\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "30.09.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "30.09.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-06032",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-41040",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Microsoft Exchange Server",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430 Microsoft Exchange Server, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u0432 OWA-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0435, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c SSRF-\u0430\u0442\u0430\u043a\u0443",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0421\u0435\u0440\u0432\u0435\u0440\u043d\u0430\u044f \u0444\u0430\u043b\u044c\u0441\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 (CWE-918)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430 Microsoft Exchange Server \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u0432 OWA-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0435. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c SSRF-\u0430\u0442\u0430\u043a\u0443",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/\nhttp://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-918",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

CNVD-2022-67837

Vulnerability from cnvd - Published: 2022-10-10

Title

Microsoft Exchange Server权限提升漏洞（CNVD-2022-67837）

Description

Microsoft Exchange Server是一款微软开发的流行的邮件服务程序。 Microsoft Exchange Server存在权限提升漏洞，远程攻击者可以利用该漏洞提交特殊的请求，可获取敏感信息或者提升权限。

Severity

高

Patch Name

Microsoft Exchange Server权限提升漏洞（CNVD-2022-67837）的补丁

Patch Description

Microsoft Exchange Server是一款微软开发的流行的邮件服务程序。 Microsoft Exchange Server存在权限提升漏洞，远程攻击者可以利用该漏洞提交特殊的请求，可获取敏感信息或者提升权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-41040

Impacted products

Name
Microsoft Exchange Server

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-41040",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-41040"
    }
  },
  "description": "Microsoft Exchange Server\u662f\u4e00\u6b3e\u5fae\u8f6f\u5f00\u53d1\u7684\u6d41\u884c\u7684\u90ae\u4ef6\u670d\u52a1\u7a0b\u5e8f\u3002\n\nMicrosoft Exchange Server\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u8005\u63d0\u5347\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-67837",
  "openTime": "2022-10-10",
  "patchDescription": "Microsoft Exchange Server\u662f\u4e00\u6b3e\u5fae\u8f6f\u5f00\u53d1\u7684\u6d41\u884c\u7684\u90ae\u4ef6\u670d\u52a1\u7a0b\u5e8f\u3002\r\n\r\nMicrosoft Exchange Server\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u8005\u63d0\u5347\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Exchange Server\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08CNVD-2022-67837\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Microsoft Exchange Server"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-41040",
  "serverity": "\u9ad8",
  "submitTime": "2022-10-08",
  "title": "Microsoft Exchange Server\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08CNVD-2022-67837\uff09"
}

FKIE_CVE-2022-41040

Vulnerability from fkie_nvd - Published: 2022-10-03 01:15 - Updated: 2026-06-17 05:02

CISA KEV KEVintel KEV

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Microsoft Exchange Server Elevation of Privilege Vulnerability

References

URL	Tags
secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040	Mitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/915563	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/	Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040	US Government Resource

Impacted products

Vendor	Product	Version
microsoft	exchange_server	2013
microsoft	exchange_server	2016
microsoft	exchange_server	2016
microsoft	exchange_server	2019
microsoft	exchange_server	2019

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2013 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.00.1497.044",
              "status": "affected",
              "version": "15.00.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 22",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2375.037",
              "status": "affected",
              "version": "15.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 11",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.0986.036",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 12",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1118.020",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.016",
              "status": "affected",
              "version": "15.01.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "secure@microsoft.com"
    }
  ],
  "cisaActionDue": "2022-10-21",
  "cisaExploitAdd": "2022-09-30",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Microsoft Exchange Server Server-Side Request Forgery Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*",
              "matchCriteriaId": "DA166F2A-D83B-4D50-AD0B-668D813E0585",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*",
              "matchCriteriaId": "449CE85B-E599-44D3-A7C1-5133F6A55E86",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*",
              "matchCriteriaId": "FF76AEDA-E574-40ED-B64F-8FDEF8CAC802",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*",
              "matchCriteriaId": "435343A4-BF10-461A-ABF2-D511A5FBDA75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*",
              "matchCriteriaId": "B23C8E3E-5243-4DA6-B9AA-F6053084B55E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    },
    {
      "lang": "es",
      "value": "Una Vulnerabilidad de Elevaci\u00f3n de Privilegios en Microsoft Exchange Server"
    }
  ],
  "id": "CVE-2022-41040",
  "lastModified": "2026-06-17T05:02:28.500",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "secure@microsoft.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2022-41040",
          "options": [
            {
              "exploitation": "active"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-02-23T21:11:09.910371Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2022-10-03T01:15:08.753",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.kb.cert.org/vuls/id/915563"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-6PH7-8WXV-6GF2

Vulnerability from github – Published: 2022-10-04 00:00 – Updated: 2025-10-22 00:32

Details

Microsoft Exchange Server Elevation of Privilege Vulnerability.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-41040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-03T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Exchange Server Elevation of Privilege Vulnerability.",
  "id": "GHSA-6ph7-8wxv-6gf2",
  "modified": "2025-10-22T00:32:37Z",
  "published": "2022-10-04T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41040"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/915563"
    },
    {
      "type": "WEB",
      "url": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-41040

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Microsoft Exchange Server Elevation of Privilege Vulnerability.

Aliases

CVE-2022-41040

Aliases

CVE-2022-41040

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-41040",
    "id": "GSD-2022-41040"
  },
  "gsd": {
    "affected": [
      {
        "package": {
          "ecosystem": "Microsoft",
          "name": "Exchange Server 2019"
        },
        "ranges": [
          {
            "events": [
              {
                "introduced": "Cumulative Update 11"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "versions": [
          "Microsoft Exchange Server 2019 Cumulative Update 11",
          "Microsoft Exchange Server 2019 Cumulative Update 12"
        ]
      },
      {
        "package": {
          "ecosystem": "Microsoft",
          "name": "Exchange Server 2016"
        },
        "ranges": [
          {
            "events": [
              {
                "introduced": "Cumulative Update 22"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "versions": [
          "Microsoft Exchange Server 2016 Cumulative Update 22",
          "Microsoft Exchange Server 2016 Cumulative Update 23"
        ]
      },
      {
        "package": {
          "ecosystem": "Microsoft",
          "name": "Exchange Server 2013"
        },
        "ranges": [
          {
            "events": [
              {
                "introduced": "Cumulative Update 23"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "versions": [
          "Microsoft Exchange Server 2013 Cumulative Update 23"
        ]
      }
    ],
    "description": "It was originally reported that an undisclosed flaw in Microsoft Exchange Server version 2019 and possibly earlier allowed for remote code execution. Confirmation was not available at the time of the release of the original GSD identifiers (GSD-2022-1006324 and GSD-2022-1006325) however, since then, Microsoft has confirmed that these two issues can be combined to gain remote code execution (an SSRF and a Remote Code Execution via Powershell). Microsoft has assigned CVE ID\u0027s for these two issues, as such the original GSD Identifiers have been withdrawn, and the corresponding GSD ID\u0027s for the CVE ID\u0027s have been populated with data (the file you are currently reading). \n\n This issue was originally reported and also reportedly confirmed as ZDI-CAN-18333 (CVSS score of 8.8) and ZDI-CAN-18802 (CVSS score of 6.3). \n\n Microsoft now reports the following: \n\n # Summary \n\n Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF)  vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. \n\n At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. \n\n We are working on an accelerated timeline to release a fix. Until then, we\u2019re providing the mitigations and detection guidance below to help customers protect themselves from these attacks. \n\n Microsoft Exchange Online has detections and mitigation in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. \n\n We will continue to provide updates here to help keep customers informed. \n\n # Mitigations \n\n Mitigation information is available at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ \n\n # Detections \n\n Detection information is available at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ \n\n # Updates \n\n September 30, 2022 updates: \n\n Microsoft created a script for the URL Rewrite mitigation steps and modified step 6 in the Mitigations section. \n Antimalware Scan Interface (AMSI) guidance, and auditing AV exclusions to optimize detection, and blocking of the Exchange vulnerability exploitation. \n Microsoft Sentinel hunting queries \n\n ## Detection \n\n Fast Fuzzer (written in Go) can detect this: \n\n ffuf -w \"urllist.txt:URL\" -u \"https://URL/autodiscover/autodiscover.json?@URL/\u0026Email=autodiscover/autodiscover.json%3f@URL\" -mr \"IIS Web Core\" -r \n\n",
    "id": "GSD-2022-41040",
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "modified": "2022-10-09T09:50:18.511745266Z",
    "osvSchema": {
      "aliases": [
        "CVE-2022-41040"
      ],
      "details": "Microsoft Exchange Server Elevation of Privilege Vulnerability.",
      "id": "GSD-2022-41040",
      "modified": "2023-12-13T01:19:33.110014Z",
      "schema_version": "1.4.0"
    },
    "references": [
      {
        "type": "ADVISORY",
        "url": "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html"
      },
      {
        "type": "ADVISORY",
        "url": "https://twitter.com/GossiTheDog/status/1575580072961982464"
      },
      {
        "type": "ADVISORY",
        "url": "https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9"
      },
      {
        "type": "ADVISORY",
        "url": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"
      },
      {
        "type": "ADVISORY",
        "url": "https://twitter.com/blackorbird/status/1575521156966535168"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/microsoft-releases-guidance-zero-day-vulnerabilities-microsoft"
      },
      {
        "type": "ADVISORY",
        "url": "hhttps://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/"
      },
      {
        "type": "WEB",
        "url": "https://twitter.com/GossiTheDog/status/1575762721353916417"
      },
      {
        "type": "WEB",
        "url": "https://github.com/VNCERT-CC/0dayex-checker"
      },
      {
        "type": "WEB",
        "url": "https://www.reddit.com/r/netsec/comments/xs5xsz/vncertcc_has_just_developed_a_tool_to_check/"
      },
      {
        "type": "WEB",
        "url": "https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/"
      },
      {
        "type": "DETECTION",
        "url": "https://twitter.com/0xJin/status/1579096666963337217"
      },
      {
        "type": "DETECTION",
        "url": "https://github.com/ffuf/ffuf"
      }
    ],
    "related": [
      "GSD-2022-41082"
    ],
    "schema_version": "1.3.1",
    "severity": [
      {
        "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "type": "CVSS_V3"
      }
    ],
    "summary": "Microsoft Exchange Server-Side Request Forgery (SSRF) in 2019 and earlier"
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2022-41040",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Microsoft Exchange Server 2013 Cumulative Update 23",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.00.0",
                          "version_value": "15.00.1497.044"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Microsoft Exchange Server 2016 Cumulative Update 22",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.0.0",
                          "version_value": "15.01.2375.037"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Microsoft Exchange Server 2019 Cumulative Update 11",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.02.0",
                          "version_value": "15.02.0986.036"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Microsoft Exchange Server 2019 Cumulative Update 12",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.02.0",
                          "version_value": "15.02.1118.020"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Microsoft Exchange Server 2016 Cumulative Update 23",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.01.0",
                          "version_value": "15.01.2507.016"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Elevation of Privilege"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040",
            "refsource": "MISC",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040"
          },
          {
            "name": "https://www.kb.cert.org/vuls/id/915563",
            "refsource": "MISC",
            "url": "https://www.kb.cert.org/vuls/id/915563"
          },
          {
            "name": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html"
          },
          {
            "name": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/",
            "refsource": "MISC",
            "url": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "cisaActionDue": "2022-10-21",
        "cisaExploitAdd": "2022-09-30",
        "cisaRequiredAction": "Apply updates per vendor instructions.",
        "cisaVulnerabilityName": "Microsoft Exchange Server Server-Side Request Forgery Vulnerability",
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*",
                    "matchCriteriaId": "DA166F2A-D83B-4D50-AD0B-668D813E0585",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*",
                    "matchCriteriaId": "449CE85B-E599-44D3-A7C1-5133F6A55E86",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*",
                    "matchCriteriaId": "FF76AEDA-E574-40ED-B64F-8FDEF8CAC802",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*",
                    "matchCriteriaId": "435343A4-BF10-461A-ABF2-D511A5FBDA75",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*",
                    "matchCriteriaId": "B23C8E3E-5243-4DA6-B9AA-F6053084B55E",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
          },
          {
            "lang": "es",
            "value": "Una Vulnerabilidad de Elevaci\u00f3n de Privilegios en Microsoft Exchange Server"
          }
        ],
        "id": "CVE-2022-41040",
        "lastModified": "2023-12-20T20:15:18.393",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "secure@microsoft.com",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-10-03T01:15:08.753",
        "references": [
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Exploit",
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html"
          },
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Mitigation",
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040"
          },
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Third Party Advisory",
              "US Government Resource"
            ],
            "url": "https://www.kb.cert.org/vuls/id/915563"
          },
          {
            "source": "secure@microsoft.com",
            "url": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/"
          }
        ],
        "sourceIdentifier": "secure@microsoft.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-918"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

MSRC_CVE-2022-41040

Vulnerability from csaf_microsoft - Published: 2022-09-13 07:00 - Updated: 2022-11-08 08:00

Summary

Microsoft Exchange Server Elevation of Privilege Vulnerability

Severity

Critical

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Customer Action: Required. The vulnerability documented by this CVE requires customer action to resolve.

CVE-2022-41040

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Affected products

Fixed 5 products

Product	Identifier	Version	Remediation
Microsoft Exchange Server 2013 Cumulative Update 23 15.00.1497.044 Microsoft Exchange Server 2013 Cumulative Update 23		15.00.1497.044
Microsoft Exchange Server 2016 Cumulative Update 22 15.01.2375.037 Microsoft Exchange Server 2016 Cumulative Update 22		15.01.2375.037
Microsoft Exchange Server 2019 Cumulative Update 11 15.02.0986.036 Microsoft Exchange Server 2019 Cumulative Update 11		15.02.0986.036
Microsoft Exchange Server 2019 Cumulative Update 12 15.02.1118.020 Microsoft Exchange Server 2019 Cumulative Update 12		15.02.1118.020
Microsoft Exchange Server 2016 Cumulative Update 23 15.01.2507.016 Microsoft Exchange Server 2016 Cumulative Update 23		15.01.2507.016

Known affected 5 products

Product	Version	Remediation
Microsoft Exchange Server 2016 Cumulative Update 23 <15.01.2507.016 Microsoft Exchange Server 2016 Cumulative Update 23	<15.01.2507.016	Vendor Fix fix
Microsoft Exchange Server 2019 Cumulative Update 12 <15.02.1118.020 Microsoft Exchange Server 2019 Cumulative Update 12	<15.02.1118.020	Vendor Fix fix
Microsoft Exchange Server 2019 Cumulative Update 11 <15.02.0986.036 Microsoft Exchange Server 2019 Cumulative Update 11	<15.02.0986.036	Vendor Fix fix
Microsoft Exchange Server 2016 Cumulative Update 22 <15.01.2375.037 Microsoft Exchange Server 2016 Cumulative Update 22	<15.01.2375.037	Vendor Fix fix
Microsoft Exchange Server 2013 Cumulative Update 23 <15.00.1497.044 Microsoft Exchange Server 2013 Cumulative Update 23	<15.00.1497.044	Vendor Fix fix

Threats

Impact Elevation of Privilege

Exploit Status Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected

References

7 references

URL	Category
https://msrc.microsoft.com/update-guide/vulnerabi…	self
https://msrc.microsoft.com/csaf/advisories/2022/m…	self
https://www.microsoft.com/en-us/msrc/exploitabili…	external
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/update-guide/vulnerabi…	self
https://msrc.microsoft.com/csaf/advisories/2022/m…	self

Acknowledgments

DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC working with \u003ca href=\"https://www.zerodayinitiative.com/\"\u003eTrend Micro Zero Day Initiative\u003c/a\u003e"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040"
      },
      {
        "category": "self",
        "summary": "CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/advisories/2022/msrc_cve-2022-41040.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
    "tracking": {
      "current_release_date": "2022-11-08T08:00:00.000Z",
      "generator": {
        "date": "2025-03-11T16:10:09.697Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-41040",
      "initial_release_date": "2022-09-13T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-09-30T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2022-10-03T07:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Updated FAQ information. This is an informational change only."
        },
        {
          "date": "2022-10-05T07:00:00.000Z",
          "legacy_version": "1.2",
          "number": "3",
          "summary": "In the FAQ, updated the Condition Input to {UrlDecode:{REQUEST_URI}}. This is an informational change only."
        },
        {
          "date": "2022-10-07T07:00:00.000Z",
          "legacy_version": "1.3",
          "number": "4",
          "summary": "In the FAQ, updated the information about steps to take to be protected from the vulnerability to refer to [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/) for mitigation instructions. This is an informational change only."
        },
        {
          "date": "2022-11-08T08:00:00.000Z",
          "legacy_version": "2",
          "number": "5",
          "summary": "On November, 8 2022, Microsoft released updates to address this vulnerability. Customers who are running an affected version of Microsoft Exchange Server should install the updates to be protected."
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.00.1497.044",
            "product": {
              "name": "Microsoft Exchange Server 2013 Cumulative Update 23 \u003c15.00.1497.044",
              "product_id": "5"
            }
          },
          {
            "category": "product_version",
            "name": "15.00.1497.044",
            "product": {
              "name": "Microsoft Exchange Server 2013 Cumulative Update 23 15.00.1497.044",
              "product_id": "11682"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2013 Cumulative Update 23"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.01.2375.037",
            "product": {
              "name": "Microsoft Exchange Server 2016 Cumulative Update 22 \u003c15.01.2375.037",
              "product_id": "4"
            }
          },
          {
            "category": "product_version",
            "name": "15.01.2375.037",
            "product": {
              "name": "Microsoft Exchange Server 2016 Cumulative Update 22 15.01.2375.037",
              "product_id": "11956"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2016 Cumulative Update 22"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.02.0986.036",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 11 \u003c15.02.0986.036",
              "product_id": "3"
            }
          },
          {
            "category": "product_version",
            "name": "15.02.0986.036",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 11 15.02.0986.036",
              "product_id": "11957"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2019 Cumulative Update 11"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.02.1118.020",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 12 \u003c15.02.1118.020",
              "product_id": "2"
            }
          },
          {
            "category": "product_version",
            "name": "15.02.1118.020",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 12 15.02.1118.020",
              "product_id": "12038"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2019 Cumulative Update 12"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.01.2507.016",
            "product": {
              "name": "Microsoft Exchange Server 2016 Cumulative Update 23 \u003c15.01.2507.016",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "15.01.2507.016",
            "product": {
              "name": "Microsoft Exchange Server 2016 Cumulative Update 23 15.01.2507.016",
              "product_id": "12039"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2016 Cumulative Update 23"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-41040",
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "Yes, the attacker must be authenticated.",
          "title": "According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?"
        },
        {
          "category": "faq",
          "text": "Exchange Server customers should review and apply the mitigation instructions described in Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server.",
          "title": "Do I need to take further steps to be protected from this vulnerability?"
        },
        {
          "category": "faq",
          "text": "The privileges acquired by the attacker would be the ability to run PowerShell in the context of the system.",
          "title": "What privileges can an attacker gain by exploiting this vulnerability?"
        },
        {
          "category": "faq",
          "text": "Please see Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server for more information",
          "title": "Where can I find more information about this CVE?"
        }
      ],
      "product_status": {
        "fixed": [
          "11682",
          "11956",
          "11957",
          "12038",
          "12039"
        ],
        "known_affected": [
          "1",
          "2",
          "3",
          "4",
          "5"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040"
        },
        {
          "category": "self",
          "summary": "CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/csaf/advisories/2022/msrc_cve-2022-41040.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-30T07:00:00.000Z",
          "details": "15.00.1497.044:Security Update:https://support.microsoft.com/help/5019758",
          "product_ids": [
            "5"
          ],
          "url": "https://support.microsoft.com/help/5019758"
        },
        {
          "category": "vendor_fix",
          "date": "2022-09-30T07:00:00.000Z",
          "details": "15.01.2375.037:Security Update:https://support.microsoft.com/help/5019758",
          "product_ids": [
            "4"
          ],
          "url": "https://support.microsoft.com/help/5019758"
        },
        {
          "category": "vendor_fix",
          "date": "2022-09-30T07:00:00.000Z",
          "details": "15.02.0986.036:Security Update:https://support.microsoft.com/help/5019758",
          "product_ids": [
            "3"
          ],
          "url": "https://support.microsoft.com/help/5019758"
        },
        {
          "category": "vendor_fix",
          "date": "2022-09-30T07:00:00.000Z",
          "details": "15.02.1118.020:Security Update:https://support.microsoft.com/help/5019758",
          "product_ids": [
            "2"
          ],
          "url": "https://support.microsoft.com/help/5019758"
        },
        {
          "category": "vendor_fix",
          "date": "2022-09-30T07:00:00.000Z",
          "details": "15.01.2507.016:Security Update:https://support.microsoft.com/help/5019758",
          "product_ids": [
            "1"
          ],
          "url": "https://support.microsoft.com/help/5019758"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 7.9,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3",
            "4",
            "5"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Elevation of Privilege"
        },
        {
          "category": "exploit_status",
          "details": "Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected"
        }
      ],
      "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-41040 (GCVE-0-2022-41040)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Public Report Confirmed Compromise Confidence: 70% Source: kevintel

Details

References

Contournement provisoire

Détection

Solution

Contournement provisoire

Détection

Solution

Solution

Solution

Tags

Sightings

Nomenclature