CVE-2022-41040: 
vulnerability analysis and mitigation

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The vulnerability was discovered in August 2022 and publicly disclosed in September 2022. When combined with CVE-2022-41082, this vulnerability allows an authenticated attacker to perform remote code execution on affected Exchange servers (MSRC Blog, Securelist).

The vulnerability exists in Microsoft Exchange's Autodiscover service, which is a web service available to Microsoft Exchange Web Services (EWS) clients. Since Exchange version 2016, the Autodiscover service has become an integral part of the system. The attack involves exploiting insufficient filtering of input data in the Exchange Autodiscover mechanism, allowing an authenticated attacker to gain access to the privileged endpoint of the Exchange Server API (https://%exchange server domain%/powershell). This access enables the execution of PowerShell commands in Exchange's environment on the server machine through XML SOAP protocol (Securelist, CERT VU).

Successful exploitation of this vulnerability, when combined with CVE-2022-41082, allows an authenticated attacker to perform remote code execution with elevated privileges on affected Exchange servers. The attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments (CERT VU, Securelist).

Microsoft released security updates for this vulnerability on November 8, 2022, as part of their Patch Tuesday updates. Prior to the patch, Microsoft recommended implementing URL Rewrite rules in IIS Manager and disabling remote PowerShell access for non-admin users. Exchange Online customers were automatically protected and did not need to take any action (MSRC Blog).