Finding Microsoft Exchange Servers on your network

(updated ), by Thao Doan

GTSC, a Vietnamese security firm, recently discovered two zero-day vulnerabilities that affect Microsoft Exchange Server 2013, 2016, and 2019. These two vulnerabilities are being tracked as CVE-2022-41040 and CVE-2022-41082. According to Microsoft, they are aware of “limited targeted attacks using the two vulnerabilities to get into users’ systems.” In order for attackers to successfully exploit the vulnerabilities, they must have authenticated access to the vulnerable Microsoft Exchange Server.

What is the impact?

The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability. The second vulnerability, CVE-2022-41082, allows remote code execution (RCE) when the attacker has access to PowerShell. According to GTSC, it appears that attackers can exploit the vulnerabilities to place webshells on exploited systems and set the stage for post-exploitation activities.

Are updates available?

As of September 30, 2022, both CVEs have not been patched, but Microsoft has indicated they are actively working on an accelerated timeline to issue a fix. According to their guidance, Microsoft Exchange Online Customers do not need to take any action. However, on-premises Microsoft Exchange customers should review and apply Microsoft’s mitigation steps on URL Rewrite Instructions and block exposed Remote PowerShell ports.

How do I find Microsoft Exchange Servers with runZero?

To get started, you can scan your network with runZero to collect your asset inventory. Then, from the Asset Inventory, use the following query to locate Microsoft Exchange Servers on your network:

product:"exchange server"
The prebuilt query is available in the Queries Library

Check out our Queries Library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding Microsoft Exchange Servers?

Start your runZero trial
Join our team

Similar Content

June 3, 2023

Finding MOVEit File Transfer Services

Reports of active exploitation of a zero-day vulnerability in the MOVEit file transfer software are making the rounds this week. The vendor, Progress Software, has released an advisory and this issue has now been assigned CVE-2023-34362. Attackers are abusing a SQL injection …

Read More

June 2, 2023

Finding Barracuda Email Security Gateways

Exploitation of Barracuda Email Security Gateway (ESG) appliances has made the news recently, including on-going investigation into the attacks. Leveraging a zero-day vulnerability as far back as October 2022, attackers compromised ESG targets to deploy malware that created …

Read More

May 31, 2023

Finding Zyxel Network Devices

Last month, Zyxel disclosed a remote command execution vulnerability affecting a handful of their product families. This vulnerability has been assigned CVE-2023-28771, and with a CVSSv3 score of 9.8, this vulnerability is considered highly critical. Attackers who send a …

Read More