CVE-2022-41082: 
vulnerability analysis and mitigation

Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082) was discovered in September 2022 alongside CVE-2022-41040. The vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019. When combined with CVE-2022-41040 (a Server-Side Request Forgery vulnerability), an authenticated attacker could trigger malicious code execution in the context of the server's account through network calls (CERT VU, Securelist).

The vulnerability exists in Microsoft Exchange Server's PowerShell interface. It requires authentication and can be triggered remotely when PowerShell is accessible to the attacker. The attack chain typically involves first exploiting CVE-2022-41040 to gain privileged access to the PowerShell API endpoint through the Exchange Autodiscover mechanism, followed by exploiting CVE-2022-41082 to execute arbitrary PowerShell code. The vulnerability was initially discovered being exploited in August 2022 by Vietnamese cybersecurity firm GTSC (Securelist).

Successful exploitation of this vulnerability allows authenticated attackers to execute arbitrary code with elevated privileges on affected Exchange servers. The attack could potentially lead to complete system compromise and enable lateral movement into Exchange and Active Directory environments (CERT VU).

Microsoft released security updates for CVE-2022-41082 on November 8, 2022, as part of their Patch Tuesday updates. Prior to the patch, Microsoft recommended implementing URL Rewrite rules and disabling remote PowerShell access for non-admin users. Exchange Online customers were automatically protected through Microsoft's managed infrastructure (Microsoft Blog).