Vulnerability Details : CVE-2022-41040
Public exploit exists!
Used for ransomware!
Microsoft Exchange Server Elevation of Privilege Vulnerability
Vulnerability category: Server-side request forgery (SSRF) Gain privilege
CVE-2022-41040 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Microsoft Exchange Server Server-Side Request Forgery Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
Notes:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Added on
2022-09-30
Action due date
2022-10-21
Exploit prediction scoring system (EPSS) score for CVE-2022-41040
Probability of exploitation activity in the next 30 days: 96.64%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2022-41040
-
Microsoft Exchange ProxyNotShell RCE
Disclosure Date: 2022-09-28First seen: 2022-12-23exploit/windows/http/exchange_proxynotshell_rceThis module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution
CVSS scores for CVE-2022-41040
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Microsoft Corporation |
CWE ids for CVE-2022-41040
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-41040
-
http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html
Microsoft Exchange ProxyNotShell Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/
Microsoft November 2022 Patch Tuesday fixes 65 vulnerabilities!
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040
CVE-2022-41040 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege VulnerabilityMitigation;Patch;Vendor Advisory
-
https://www.kb.cert.org/vuls/id/915563
VU#915563 - Microsoft Exchange vulnerable to server-side request forgery and remote code execution.Third Party Advisory;US Government Resource
Products affected by CVE-2022-41040
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*