### Overview

Microsoft Exchange 2019 Cumulative Update 23 and earlier versions are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server.

### Description

Microsoft Exchange Server’s [ Autodiscover service]() is a web service widely available to any Microsoft Exchange Web Services (EWS) client. Since Microsoft Exchange version 2016, the Autodiscover service has become an integral part of the Microsoft Exchange system, and it is no longer independently provided by a Client Access server. The Autodiscover service and a number of other privileged mailbox services are hosted on the default Internet Information Services server running on the Mailbox server.

Cybersecurity company GTSC [observed an abuse of the Autodiscover service in August of 2022]() using a crafted URL SSRF attack, similar to the earlier [ProxyShell]() vulnerability reported in August 2021. The observed attack appears to have implemented [CVE-2022-41040]() to gain privileged access and [CVE-2022-41082]() to perform remote code execution via PowerShell. Microsoft Security Research Center has [acknowledged the vulnerability and provided guidance for mitigation](). The guidance highlights that Microsoft Exchange Online customers will be provided with detection and mitigation defenses automatically from Microsoft’s managed Infrastructure, informing them of any attempts to exploit these vulnerabilities.

### Impact

An authenticated remote attacker can perform SSRF attacks to escalate privileges and execute arbtirary PowerShell code on vulnerable Microsoft Exchange servers. As the attack is targeted against Microsoft Exchange Mailbox server, the attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments.

### Solution

#### Workaround guidance

Microsoft has provided guidance in their [recent blog post]() to address the issue. [Jang]() notes that the guidance can be bypassed due to a small error in the URL filter _.*autodiscover\.json.*@.*Powershell.*_ which is detailed in step 6 under Option 3. The recommended block pattern is _.*autodiscover\.json.*Powershell.*_ (excluding the _@_ symbol) as a regular expression to prevent known variants of the [#ProxyNotShell]() attacks.

#### Apply update when available

As of October 3, 2022, there is no patch available to mitigate this issue. It is recommended that Microsoft Exchange administrators stay on alert for [any advisory or patch]() released by Microsoft.

#### Third-party web application protection

Exchange Administrators who use third-party Web Application Firewall (WAF) products can implement the recommended URL filters and blocks as part of their WAF policy.

#### Other mitigations

Exchange Administrators can limit the outgoing connection from the Exchange Mailbox server using specific whitelisting on an outgoing proxy to limit suspicious web requests.

This document was written by Vijay Sarvepalli.

### Vendor Information

915563

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

### Microsoft Unknown

Updated: 2022-10-03 **CVE-2022-41040**| Unknown
—|—
**CVE-2022-41082**| Unknown

#### Vendor Statement

We have not received a statement from the vendor.

### References

*
*
*
*
*

### Other Information

**CVE IDs:** | [CVE-2022-41040 ]() [CVE-2022-41082 ]()
—|—
**API URL: ** | VINCE JSON | CSAF
**Date Public:** | 2022-10-03
**Date First Published:** | 2022-10-03
**Date Last Updated: ** | 2022-10-03 21:59 UTC
**Document Revision: ** | 1Read More