Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, & Exchange Server 2019.
The 1st, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the 2nd one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
Update: Microsoft created a script for the URL Rewrite mitigation steps and modified step 6 in the Mitigations section.
In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
