Microsoft confirms that cybercriminals are exploiting two zero-day vulnerabilities in Exchange Server 2013, 2016 and 2019.

The vulnerabilities allow cybercriminals to conduct remote code execution attacks. The bugs were discovered by GTSC. The security company published a mitigation guide. The advisory was acknowledged by Microsoft. The tech giant registered the vulnerabilities as CVE-2022-41040 and CVE-2022-41082.

Microsoft Exchange zero-day

According to Microsoft, the vulnerabilities were recently exploited for “limited, targeted attacks” on Microsoft Exchange servers. Security firm GTSC disclosed the vulnerabilities in a public report. Technical details are scarce, as the researchers want to prevent cybercriminals from exploiting the information to carry out attacks.

The perpetrators of the discovered attacks used the vulnerabilities to deploy malicious webshells on hacked servers. The webshells allowed attackers to maintain access, steal data and infiltrate other parts of the network.

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system”, the researchers said. GTSC suspects the attacks were carried out by a Chinese hacking group. Although GTSC shared few technical details about the vulnerabilities, the researchers disclosed that the process is similar to attacks on ProxyShell vulnerabilities.

Zero Day Initiative

GTSC warned Microsoft of the vulnerabilities three weeks ago through the Zero Day Initiative, a bug bounty program. “We submitted the vulnerability to the Zero Day Initiative (ZDI) right away to work with Microsoft so that a patch could be prepared as soon as possible”, the researchers added. “ZDI verified and acknowledged 2 bugs, whose CVSS scores are 8.8 and 6.3.”