Issued: Thursday, 10 November, 2022 |
Last Revision: Thursday, 10 November, 2022 |
Vendor: |
Product: |
Severity Level: |
There are two Zero-Day exploitable vulnerabilities in Microsoft Exchange, CVE-2022-41040 is an elevation of privilege vulnerability and CVE-2022-41082 is allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Successful exploitation may give privilege to attacker to execute commands which may allow exfiltration of data and lateral movement to internal systems.
Previously reported privilege escalation vulnerability CVE-2022-41080 has been also addressed by Microsoft which is most likely to be exploited in near future.
| CVE/Vulnerability | Description | CVSS 3.1 Score | Exploitable |
| |
| CVE-2022-41082 | Microsoft Exchange Server RCE | 8.8 | Yes |
| |
| CVE-2022-41040 | Microsoft Exchange Server Elevation of Privilege | 8.8 | Yes |
| |
| CVE-2022-41080 | Microsoft Exchange Server Elevation of Privilege | 8.8 | No |
| |
Table 1: Vulnerability details
|
| |||
| Update Type | Product(s) Detail |
| |
| Security Updates | Microsoft Exchange Server 2019 Cumulative Update 12 Microsoft Exchange Server 2019 Cumulative Update 11 Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Update 22 Microsoft Exchange Server 2013 Cumulative Update 23 |
| |
Table 2: Vulnerable versions
We recommend all entities to update the latest version to remediate vulnerabilities in Exchange Server.