Finding Microsoft Exchange Servers on your network
GTSC, a Vietnamese security firm, recently discovered two zero-day vulnerabilities that affect Microsoft Exchange Server 2013, 2016, and 2019. These two vulnerabilities are being tracked as CVE-2022-41040 and CVE-2022-41082. According to Microsoft, they are aware of “limited targeted attacks using the two vulnerabilities to get into users’ systems.” In order for attackers to successfully exploit the vulnerabilities, they must have authenticated access to the vulnerable Microsoft Exchange Server.
What is the impact? #
The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability. The second vulnerability, CVE-2022-41082, allows remote code execution (RCE) when the attacker has access to PowerShell. According to GTSC, it appears that attackers can exploit the vulnerabilities to place webshells on exploited systems and set the stage for post-exploitation activities.
Are updates available? #
As of September 30, 2022, both CVEs have not been patched, but Microsoft has indicated they are actively working on an accelerated timeline to issue a fix. According to their guidance, Microsoft Exchange Online Customers do not need to take any action. However, on-premises Microsoft Exchange customers should review and apply Microsoft’s mitigation steps on URL Rewrite Instructions and block exposed Remote PowerShell ports.
How do I find Microsoft Exchange Servers with runZero? #
Get runZero for free
Don’t have runZero and need help finding Microsoft Exchange Servers?Start your runZero trial
November 9, 2023
How to find SysAid Help Desk instances
How to find SysAid Help Desk instances # On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a …Read More
November 1, 2023
How to find Apache ActiveMQ instances
How to find Apache ActiveMQ® instances # On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team …Read More
October 30, 2023
Finding NGINX Ingress Controllers with runZero
Today, three vulnerabilities in the NGINX Ingress Controller for Kubernetes were disclosed, as described in this article from The Hacker News. These vulnerabilities have CVSS scores ranging from 7.6 to 8.8; all of these scores are considered high. These vulnerabilities have …Read More