Microsoft formally revealed it examining 2 zero-day security vulnerabilities affecting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation.
” The very first vulnerability, determined as CVE-2022-41040, is a Server-Side Demand Forgery (SSRF) vulnerability, while the 2nd, determined as CVE-2022-41082, permits remote code execution (RCE) when PowerShell is available to the aggressor,” the tech giant stated.
The business likewise verified that it understands “restricted targeted attacks” weaponizing the defects to acquire preliminary access to targeted systems, however stressed that authenticated access to the susceptible Exchange Server is needed to accomplish effective exploitation.
The attacks detailed by Microsoft reveal that the 2 defects are stringed together in a make use of chain, with the SSRF bug allowing a verified foe to from another location set off approximate code execution.
