There’s good and bad news about the Microsoft Exchange server zero-day exploit

Yay, Microsoft has told us how to mitigate against attacks. Boo, the mitigations can be bypassed.

There's good and bad news about the Microsoft Exchange server zero-day exploit

Good news!

Microsoft may not yet have released a proper patch for the two new zero-day vulnerabilities that have been exploited in “limited targeted attacks” against Microsoft Exchange users, but it has published mitigations which can help protect your organisation.

Bad news!

Security researchers have found Microsoft’s mitigations can be bypassed.

Sign up to our free newsletter.
Security news, advice, and tips.

Here’s a video from researcher Will Dormann where he offers a demonstration of how it’s possible to waltz around the CVE-2022-41040 and CVE-2022-41082 vulnerability mitigations has offered.

πŸ‡»πŸ‡³ Microsoft Exchange mitigations bypass CVE-2022-41040, CVE-2022-41082

However, there’s additional good news in that it is not possible for an unauthenticated user to exploit the security holes remotely, meaning that any hacker who wants to attack your on-premises Exchange server will need to have already broken into one of your users’ accounts, or for a user who is connected to Exchange to have had their computer infected by malware that exploits the flaw.

Furthermore, reports so far have suggested that the attacks have relied upon PowerShell commands being triggered, and so blocking TCP ports 5985 and 5986 on your Exchange server will limit the possibility of attacks.

All the same, good news and bad news aside, it would be great if Microsoft could release a proper working security patch as soon as possible.


Graham Cluley
Graham Cluley β€’   @gcluley

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.