Microsoft finally released security updates for two zero-day vulnerabilities in Exchange Server that were disclosed in late September and led to attacks from a state-linked threat actor.
The updates address a server-side request forgery vulnerability, listed as CVE-2022-41040 and the second, identified as CVE-2022-41082, allows remote code execution when the attacker has access to PowerShell, according to Microsoft.
Microsoft confirmed there have been limited, targeted attacks using the two vulnerabilities. The server-side request forgery can allow an attacker to remotely trigger CVE-2022-41082, however the attacker needs to be authenticated.
Microsoft previously advised customers to enable mitigations, including the URL rewrite rule, but those are no longer recommended.
Microsoft urged users to apply security updates even if they applied mitigations last month.
“It’s great to see that a patch is available and the security community will continue to validate its effectiveness,” John Hammond, senior security researcher at Huntress, said via email.
Hammond said there isn’t a need to scrutinize the length of time it took to issue the updates, noting the attacks were very limited and targeted.
“Rolling the security update out in a traditional patch routine makes sense to me as this didn’t need to be an immediate/critical/out-of-band emergency fix,” Hammond said.
Researchers at Automox suggest patching within 24 hours for organizations using on premise or hybrid servers, especially if mitigation steps have not been taken.
The vulnerabilities were originally disclosed by Vietnam-based security research firm GTSC after months of discussions and delays with the software company.