Finding Microsoft Exchange Servers on your network

GTSC, a Vietnamese security firm, recently discovered two zero-day vulnerabilities that affect Microsoft Exchange Server 2013, 2016, and 2019. These two vulnerabilities are being tracked as CVE-2022-41040 and CVE-2022-41082. According to Microsoft, they are aware of “limited targeted attacks using the two vulnerabilities to get into users’ systems.” In order for attackers to successfully exploit the vulnerabilities, they must have authenticated access to the vulnerable Microsoft Exchange Server.

What is the impact?

The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability. The second vulnerability, CVE-2022-41082, allows remote code execution (RCE) when the attacker has access to PowerShell. According to GTSC, it appears that attackers can exploit the vulnerabilities to place webshells on exploited systems and set the stage for post-exploitation activities.

Are updates available?

As of September 30, 2022, both CVEs have not been patched, but Microsoft has indicated they are actively working on an accelerated timeline to issue a fix. According to their guidance, Microsoft Exchange Online Customers do not need to take any action. However, on-premises Microsoft Exchange customers should review and apply Microsoft’s mitigation steps on URL Rewrite Instructions and block exposed Remote PowerShell ports.

How do I find Microsoft Exchange Servers with runZero?

To get started, you can scan your network with runZero to collect your asset inventory. Then, from the Asset Inventory, use the following query to locate Microsoft Exchange Servers on your network:

product:"exchange server"

Check out our Queries Library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding Microsoft Exchange Servers?

Start your runZero trial