Microsoft said Friday it's "working on an accelerated timeline" to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, which the company acknowledged have been used in attacks on customers.
One of the vulnerabilities could enable remote execution of commands on a compromised server, prompting concern among security researchers about the potential for significant exploitation in coming days. The remote code execution vulnerability, which is being tracked by the identifier CVE-2022-41082, has similarities to the previously disclosed "ProxyShell" flaws. The new vulnerability was dubbed "ProxyNotShell" by researcher Kevin Beaumont, who was among the first to report seeing exploits of the bug in a series of tweets on Thursday.
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
The second vulnerability, which is being tracked at CVE-2022-41040, can be used by an attacker to trigger the remote code execution vulnerability, Microsoft said in a blog post. The vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, according to Microsoft.
A limiting factor on the exploitability of either of the newly disclosed bugs is that an attacker would need to have successfully logged in to a vulnerable Exchange server that they were attempting to exploit, Microsoft said.
The company released details on a mitigation that can be used to block the attack patterns for the vulnerabilities that've been observed so far.
"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems," the company said in its blog post.
One researcher told Protocol on Thursday that exploitation of the vulnerability is expected to escalate in the next few days. Exchange "is a juicy target for threat actors to exploit" because its servers must be connected directly to the internet, and are a key function for many businesses as email can't be turned off without causing a major disruption, said Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys.
Microsoft said in its post that customers of Exchange Online won't need to take action in response to the new vulnerabilities. Beaumont disputed that, saying in a tweet that for Exchange Online customers, "if you migrated and kept a hybrid server (a requirement until very recently) you are impacted."
Beaumont also said that his testing has found that to meet the requirement of being an authenticated user for exploiting ProxyNotShell, "this can be any email user," which is "pretty risky." Already, exploitation of the vulnerabilities "has been happening for at least one month in the wild," he said in a tweet.
The vulnerabilities were initially disclosed by researchers at cybersecurity vendor GTSC.