Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trustwave Action Response: Zero Day Vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019

Update Oct. 4: Microsoft released Security Update Guides for these two vulnerabilities. 

Trustwave security teams are aware of two zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) impacting on premises versions of Microsoft Exchange Server 2013, 2016, and 2019 and organizations with Outlook Web Access facing the Internet that, if exploited, can allow an attacker to elevate privilege and remote code execution capability. Exchange online clients do not need to take action.

We immediately investigated the vulnerabilities and potential exploits and continue to monitor the situation. Trustwave infrastructure has not been adversely affected by the vulnerabilities. We are taking a proactive response and actively hunting for the presence of the attacks.

We are diligently watching over our clients for exposure and associated attacks.

We will update this blog as needed with additional information.

Microsoft’s Discovery and Guidance

Microsoft is aware of the issue and reported that a limited number of attacks have taken place. Attacks have been observed since August 2022, although at this stage Microsoft are calling them ‘limited’ with fewer than 10 organizations globally affected. 

Microsoft has not released patches for the vulnerabilities but did release guidance information about these two vulnerabilities on September 30 including some specific mitigation steps.

The issues were first discovered by the GTSC SOC team in Vietnam and reported on September 28. GTSC has tracked the exploitation of these vulnerabilities starting in early August. GTSC's blog includes IOC information that can be used for detection.

What are the Microsoft Exchange Vulnerabilities?

The vulnerabilities are CVE-2022-41040, which is a Server-Side Request Forgery (SSRF) vulnerability used for Elevation of Privilege and CVE-2022-41082, a Remote Code Execution Vulnerability. 

Microsoft's blog notes that for CVE-2022-41040, an attacker must be authenticated and that privileges required for exploitation are low.

In addition, Microsoft Exchange Online clients do not need to take action. However, Exchange Server clients should review and apply the mitigation instructions provided in Microsoft’s blog.

CVE-2022-41082 also requires user authentication and that standard user authentication is sufficient for the attack to work by combining an exploit for elevating privileges. Microsoft further notes an attacker for this vulnerability could target the server accounts in arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

According to GTSC, the exploits were used to install a webshell on the impacted Exchange servers along with other malware.

What Do We Know?

The precise details of the attack have not been released. However, the attacks appear somewhat similar to, the ProxyShell vulnerability (CVE-2021-34473) attacks on Exchange Servers observed in 2021 where a malicious HTTP request are made with “autodiscover/autodiscover.json" string in the URL. Below is an example of the previous ProxyShell request format:

GET /autodiscover/autodiscover.json?<Exchange-backend-endpoint>&Email=autodiscover/

Similarly, in this case, the observed attack sends a malicious HTTP request triggering the chain of vulnerabilities, which leads to the dropping of web shells and running of arbitrary commands, as in the below diagram, from Microsoft.


Microsoft said authenticated access to the vulnerable Exchange Server is necessary for an attacker to exploit either vulnerability, although privileges necessary for exploitation are low. Furthermore, it must be stress, this a low barrier for adversaries with access to stolen credentials.

Some of the dropped web shells include the open-source tool Antsword, that supports a web shell, and post exploitation framework SharPyShell. In their original blog, GTSC also observed a backdoor called Dll.dll planted in the Exchange Server that emulates Microsoft Exchange EWS (Exchange Web Services), and listens to connections on port 443 at the path:


This backdoor has wide-ranging functionality including collecting information, executing shellcode and commands, and manipulating files.


Microsoft has issued detailed mitigation steps here.

The main mitigation step outlined here is to add a URL Rewrite blocking rule in IIS which looks for and blocks the following string:


Microsoft also advise disabling PowerShell access for non-admin users in your organization.


While attacks may be limited to date, given the nature and publicity of attacks, it is likely cybercriminals will add the attacks to their arsenals and we shall see more such attacks soon. Trustwave recommends:

  • Putting in place recommended mitigations as detailed by Microsoft
  • Scanning IIS logs for signs of malicious http requests
  • Scanning Exchange Servers for IOCs and dropped artifacts

Helpful Resources

GTSC Blog - Warning: New Attack Campaign Utilized a New 0-Day RCE Vulnerability on Microsoft Exchange Server

Microsoft Security Blog - Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

Microsoft Exchange Team - Blog - Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

Additional Microsoft Customer Guidance

CVE-2022-41040 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2022-41082 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More