Investigating: Reports of Unconfirmed Zero-Day in Microsoft Exchange Server Exploited in the Wild

Tenable’s Security Response Team is aware of reports of an unconfirmed zero-day vulnerability in Microsoft Exchange Server.

What happened?

On September 28, GTSC Cybersecurity Technology Company Limited published a blog post (English translation published today) regarding their discovery of an unconfirmed zero-day vulnerability in Microsoft Exchange Server.

When was this zero-day first discovered?

According to GTSC, its Security Operations Center (SOC) team discovered the exploitation in August 2022 during its “security monitoring & incident response services.”

Has a CVE been assigned for this vulnerability?

Not at this time. The researchers submitted their findings to Microsoft via the Zero Day Initiative and there are two ZDI submissions attributed to GTSC researchers:

• ZDI-CAN-18333 (CVSS Score: 8.8)
• ZDI-CAN-18802 (CVSS Score: 6.3)

We do not know whether or not the submissions have been verified by ZDI prior to submission to Microsoft.

Is this related to ProxyShell?

According to GTSC, the discovery involved requests that were formatted similarly to those seen in ProxyShell exploitation attempts. However, it’s unclear if the reported discovery is a patch bypass or a new exploitation vector.

How do I know if an attacker exploited this vulnerability?

Similar to ProxyShell and ProxyLogon before it, attacks against Exchange Server instances involve the use of webshells, which are left behind to allow an attacker to maintain persistence on a compromised network. The researchers at GTSC have shared a list of indicators of compromise in their blog post based on the activity they’ve observed.

Has Microsoft confirmed these findings?

At the time of publishing this community post, Microsoft has not published any tweets or blog posts confirming the findings from GTSC. 

Does Tenable have any plugins for this vulnerability?

Because this vulnerability has not yet been confirmed by Microsoft and there are no patches available at this time, we do not have any plugin coverage to address this reported threat. However, we strongly encourage customers to ensure they have applied previous Exchange Server updates to ensure they are not vulnerable to threats like ProxyLogon or ProxyShell.

What happens if Microsoft confirms this vulnerability?

Once confirmed, we will provide an update on the Tenable blog as well as through a future Community Post update, which will include plugin related information.