Microsoft Updates Mitigation for Exchange Server Zero-Days

Researchers had discovered that Microsofts original mitigation steps for the so-called ProxyNotShell flaws was easily bypassed.

Microsoft today updated its mitigation measures for two recently disclosed and actively exploited zero-day vulnerabilities in its Exchange Server technology after researchers found its initial guidance could be easily bypassed.
Microsofts original mitigation for the two vulnerabilities -- CVE-2022-41040 and CVE-2022-41082 — was to apply a blocking rule to a specific URL path using the URL Rewrite Module on IIS Server. According to the company, adding the string .*autodiscover.json.*@.*Powershell.* would help block known attack patterns against the vulnerabilities.
However, security researchers — including Vietnam-based security researcher
Jang
, Kevin Beaumont, and others — had noted that attackers can easily bypass Microsoft-recommended mitigation to exploit the vulnerabilities. The @ in the Microsoft-recommended .*autodiscover.json.*@.*Powershell.* URL block mitigations for CVE-2022-41040 [and] CVE-2022-41082
seems unnecessarily precise, and therefore insufficient
, security researcher Will Dormann said in a tweet. Probably try .*autodiscover.json.*Powershell.* instead, he wrote.
The CERT Coordination Center at Carnegie Mellon University appeared to echo the recommendation in its note about the vulnerabilities. The recommended block pattern is
.*autodiscover.json.*Powershell.*
(excluding the
@
symbol) as a regular expression to prevent known variants of the
#ProxyNotShell
attacks, CERT said.
On Tuesday, after more than a day of silence on the issue, Microsoft
updated its guidance
to reflect the change that the security researchers had suggested (.*autodiscover.json.*Powershell.*). Important updates have been made to the Mitigations section improving the URL Rewrite rule, Microsoft said. Customers should review the Mitigations section and apply one of these updated mitigation options.
The blocking rule has been updated and enabled automatically for organizations that have enabled Microsofts Exchange Emergency Mitigation Service. Microsoft has also updated a script that organizations could use to enable the URL Rewrite mitigation measure, and updated its step-by-step guidance on how to apply the rule for organizations that want to implement the mitigation manually. Microsoft has also strongly recommended that Exchange Server customer disable remote PowerShell access for nonadministrative users.
Microsoft originally released mitigation guidance on Sept. 30, following the public disclosure of CVE-2022-41040 and CVE-2022-41082,
two vulnerabilities in Exchange Server
that it said were being used in a limited number of targeted attacks since August 2022. The flaws affect on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 that are exposed to the Internet. The US Cybersecurity and Infrastructure Agency (CISA) has described the vulnerabilities as giving attackers a way to
take control of an affected system
.
A
map of devices from the Shodan search engine
that security researcher Beaumont generated this week shows tens of thousands of systems around the world that appear to be running vulnerable versions of Exchange Server.
Microsoft said customers of Microsoft Exchange Online are protected and therefore dont need to take any action — an assertion that Beaumont has challenged. Even if youre Exchange Online, if you migrated and kept a hybrid server (a requirement until very recently) you are impacted,
Beaumont noted
. Beaumont has labeled the vulnerabilities as ProxyNotShell because the exploit process and Microsofts mitigations are very similar to that associated with last years
ProxyShell vulnerabilities
in Exchange Server.
Microsoft is currently working on a fix for the two vulnerabilities.
It is common for fixes to not be complete, says David Lindner, CISO at Contrast Security. We have not verified the bypasses, but it is common for a back and forth to happen between exploit and fix until the true root cause is resolved. He points to the initial fixes for the Log4Shell vulnerability in Apaches Log4j logging frame as one example. Over the course of a couple of weeks, there were multiple renditions trying to resolve the root of the issue, he notes.
CVE-2022-41040
is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and
CVE-2022-41082
is a remote code execution flaw when PowerShell is remotely accessible to the attacker. Microsoft said it had detected a
single threat actor
using CVE-2022-41040 to remotely trigger CVE-2022-41082 and install a Web shell called Chopper on vulnerable systems that enabled them to steal data and conduct Active Directory reconnaissance. Chopper is a Web shell that has been previously associated with Chinese threat actors.
The flaws can be chained together in an attack — as happened with the threat actor that Microsoft observed — or used separately. In both instances, however, an attacker would need to be authenticated, even if it is only at the level of a standard user, to exploit the vulnerabilities, Microsoft said. Singapore-based security firm GTSC,
discovered the two flaws
and, in coordination with Trend Micros Zero Day Initiative, reported the bugs to Microsoft.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Updates Mitigation for Exchange Server Zero-Days