Critical Microsoft Exchange ZeroDay – CVE-2022-41082 Server-Side Request Forgery (SSRF)
CVE ID: CVE-2022-41082
CVE Score: 8.8
CWE-ID: CWE-20 – Improper Input Validation
Impacted Product: Microsoft Exchange Server 2013, 2016, and 2019
Published Date: 30 Sep 2022
Updated: 03 Oct 2022
Vulnerability Threat & Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to an unspecified error, related to the autodiscover/autodiscover.json” endpoint. A remote attacker can send a specially crafted request to the affected Exchange Server and execute arbitrary code on the system.
CVE-2022-41082 is an authenticated remote code execution vulnerability. It is very similar to ProxyShell, a chain of three vulnerabilities in Exchange Server discovered by Orange Tsai in 2021. However, the original ProxyShell attack chain did not require authentication, while CVE-2022-41082 does.
Note, the vulnerability is being actively exploited in the wild.
Non-available (No Patch and No workaround)
Attack Vector: Network (AV:N)
Authentication requested: Yes, the attacker must be authenticated
Privileges Required: Low: According to the CVSS metric, privileges required is low (PR:L)
Patch Available: No, Microsoft is still investigating
Public Exploit available: Yes (Proof-of Concept
Attack Complexity: Low
User Interaction: None (UI:N)
• Confidentiality: High
• Integrity: High
• Availability: High
Expected Attack type: remote code execution. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.