There’s good and bad news about the Microsoft Exchange server zero-day exploit

Yay, Microsoft has told us how to mitigate against attacks. Boo, the mitigations can be bypassed.

There's good and bad news about the Microsoft Exchange server zero-day exploit

Good news!

Microsoft may not yet have released a proper patch for the two new zero-day vulnerabilities that have been exploited in “limited targeted attacks” against Microsoft Exchange users, but it has published mitigations which can help protect your organisation.

Bad news!

Security researchers have found Microsoft’s mitigations can be bypassed.

Sign up to our free newsletter.
Security news, advice, and tips.

Here’s a video from researcher Will Dormann where he offers a demonstration of how it’s possible to waltz around the CVE-2022-41040 and CVE-2022-41082 vulnerability mitigations has offered.

🇻🇳 Microsoft Exchange mitigations bypass CVE-2022-41040, CVE-2022-41082

However, there’s additional good news in that it is not possible for an unauthenticated user to exploit the security holes remotely, meaning that any hacker who wants to attack your on-premises Exchange server will need to have already broken into one of your users’ accounts, or for a user who is connected to Exchange to have had their computer infected by malware that exploits the flaw.

Furthermore, reports so far have suggested that the attacks have relied upon PowerShell commands being triggered, and so blocking TCP ports 5985 and 5986 on your Exchange server will limit the possibility of attacks.

All the same, good news and bad news aside, it would be great if Microsoft could release a proper working security patch as soon as possible.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.