Microsoft Investigating Reports of Another Possible Exchange Server Zero-Day Vulnerability

Update: AhnLab have since removed the blog post from its website. It is unclear why the post was removed. We're continuing to monitor for any further updates surrounding this alleged zero-day.

On October 11, AhnLab Security Emergency Response Center (ASEC) published a blog post (English translation here) regarding an incident response investigation from July 2022 involving the exploitation of a Microsoft Exchange Server vulnerability that led to a ransomware infection.

According to the blog post, based on the analysis of the vulnerability types and the dates the compromised Exchange Servers were patched, ASEC believes that the attacker in this instance “used an undisclosed zero-day vulnerability.”

While there are two other zero-day vulnerabilities, dubbed ProxyNotShell, in Microsoft Exchange Server that were recently disclosed (CVE-2022-41040, CVE-2022-41082), ASEC believes that based on the “attack method, the generated WebShell file name, and subsequent attacks after WebShell creation,” they presume the attacker “used a different zero-day vulnerability.”

Microsoft has weighed in on ASEC’s report, responding to a request for comment from The Record, saying they are “investigating the claims in this report and will take any action needed to help protect customers.”

While we have no further information about this alleged zero-day reported by ASEC, Tenable created a plugin (ID 165705) for ProxyNotShell that will report all currently supported versions of Microsoft Exchange Server with a High severity rating to help customers identify systems that are affected.

Once more information becomes available, we will either update this community post or publish a new one with additional information.