Microsoft says two new Exchange zero-day bugs under active attack, but no immediate fix
Microsoft has confirmed two unpatched Exchange Server zero-day vulnerabilities are being exploited by cybercriminals in real-world attacks.
Vietnamese cybersecurity company GTSC, which first discovered the flaws as part of its response to a customer’s cybersecurity incident in August 2022, said the two zero-days have been used in attacks on their customers’ environments dating back to early August 2022.
Microsoft’s Security Response Center (MRSC) said in a blog post late on Thursday that the two vulnerabilities were identified as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” the technology giant confirmed.
