CVE-2022-41040
Microsoft Exchange Server Server-Side Request Forgery Vulnerability
CVSS
—
No CVSS
EPSS
99.9%
p100
KEV
YES
Sep 30, 2022
Exploit Today
80
0-100
Published: — · Last modified: —
Product
Microsoft / Exchange Server
Vulnerability
Microsoft Exchange Server Server-Side Request Forgery Vulnerability
Added to KEV
Sep 30, 2022
Remediate by
Oct 21, 2022
Known ransomware use
Yes
Summary description
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
Required action
Apply updates per vendor instructions.
Notes
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/; https://nvd.nist.gov/vuln/detail/CVE-2022-41040