CVE-2022-41040 and CVE-2022-41082: ProxyShell Variant Exploited in the Wild

Yesterday, Tenable’s Security Response Team released a community post about an unconfirmed zero-day vulnerability in Microsoft Exchange Server. Since the post, additional information has been discovered and released.

As a recap, on September 28, GTSC Cybersecurity Technology Company Limited published a blog post (English translation published later) regarding their discovery of a zero-day vulnerability in Microsoft Exchange Server that was being exploited in the wild. Late on September 29, Microsoft provided a blog post confirming their team was investigating the issue and provided two CVEs:

CVE-2022-41040 is an authenticated server-side request forgery vulnerability in Microsoft Exchange Servers that was assigned a CVSSv3 score of 6.3 by ZDI. Exploitation of CVE-2022-41040 could allow an attacker to exploit CVE-2022-41082.

CVE-2022-41082 is an authenticated remote code execution vulnerability assigned a CVSSv3 score of 8.8. It is very similar to ProxyShell, a chain of three vulnerabilities in Exchange Server discovered by Orange Tsai in 2021. However, the original ProxyShell attack chain did not require authentication, while CVE-2022-41082 does.

At this time no patches have been released by Microsoft, however they do note that “we are working on an accelerated timeline to release a fix.”

We will continue to monitor this situation and add updates to our latest Tenable blog post as new information is released. Plugin coverage is being investigated at this time.