Microsoft Exchange On-Prem Critical Vulnerabilities - CVE-2022-41080, CVE-2022-41082

22 Dec / 2022

Cyber Security

CVE: CVE-2022-41080, CVE-2022-41082

What Is Vulnerable?

Microsoft Exchange Server (On-Premises) 2013, 2016, 2019 devices that have not applied update KB5019758 released on November 8.

What’s Happening?

There has been an increase of attacks against On-Prem Exchange Servers that are utilising Microsofts URL Rewrite mitigiations as a defence against CVE-2022-41080 and CVE-2022-41082.
Threat actors are chaining vulnerabilities CVE-2022-41080 and CVE-2022-41082 to infiltrate networks and deploy ransomware.

Key Facts

Attackers are using SSRF vulnerability CVE-2022-41040 to target the backend PowerShell service through Outlook Web Access.
Once the PowerShell service has been reached, vulnerability CVE-2022-41082 is exploited to execute arbitrary commands on the device.

What You Can Do

System Administrators are advised to:

  • Immediately apply update KB5019758 to On-Prem Microsoft Exchange Servers which remediates these issues.
  • Inspect their systems for PowerShell sessions spawned by IIS creating outbound connections including to the following IPs: 45.76.141[.]84, 45.76.143[.]143

Detections rules that have been associated with this attack vector:

Attacker Technique - PowerShell Registry Cradle

Suspicious Process - PowerShell System.Net.Sockets.TcpClient

Suspicious Process - Exchange Server Spawns Process

PowerShell - Obfuscated Script

Webshell - IIS Spawns PowerShell

Additional follow-on detection behaviours observed with this type of compromise include:

Attacker Technique - Plink Redirecting RDP

Attacker Technique - Renamed Plink

Suspicious Process - Started From Users Music Directory

Further information on the vulnerability is available Microsoft, Rapid7, CrowdStrike

Cythera Vulnerability Management Clients are actively being scanned for any vulnerable instances of Microsoft Exchange.


You may be interested in

PaperCut Vulnerability - CVE-2023-27350, CVE-2023-27351

PaperCut MF & PaperCut NG VulnerabilitiesCVE: CVE-2023-27350, CVE-2023-27351 WHAT IS VULNERABLE? PaperCut MF or NG version 8.0 or later, on a…

Read More arrow_forward

Ransomware attacks are on the rise in Australia. Here’s how to prepare for them.

It's a rare occasion these days that you open up the Australian business news and DON’T see anything about a cybersecurity attack. Whisper the…

Read More arrow_forward

Partnerships should help build capability

Individuals and companies like to use the term ‘partnership’ when trying to build rapport and relationships. This creates a sense of cooper…

Read More arrow_forward