Two New Zero-Day Vulnerabilities Affecting On-Premises Microsoft Exchange Server

On September 29, 2022, Microsoft reported investigating two zero-day vulnerabilities impacting Microsoft Exchange 2013, 2016, and 2019. Microsoft is reporting attacks on Microsoft Exchange Servers utilizing the two vulnerabilities in tandem. Microsoft has noted that mitigations against these vulnerabilities are already in place for Microsoft Exchange Online (Microsoft 365).

At this time, no patch is available for this vulnerability. Microsoft has provided workaround mitigations for on-premises Microsoft Exchange Servers, listed in the link below. Basically, the workaround entails configuration changes within IIS Manager and blocking certain ports related to Remote PowerShell. For people and organizations using Microsoft Sentinel or Microsoft Defender products for antivirus, Microsoft also provides additional detection guidance in the same article.

https://msrc.microsoft.com/blog/2022/09/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

As always, testing is important! Consider working with your technical resources to review and test any system changes.

Authored by: David Bentley, CISSP