Researchers have warned that mitigations published by Microsoft to fix two new Microsoft Exchange zero-day vulnerabilities can be circumvented by hackers.
In a tweet, security expert Jang explained that Microsoft’s temporary solution to prevent the exploitation of CVE-2022-41040 and CVE-2022-41082 is insufficient and can be bypassed with little effort.
Jang’s claims were verified. Instead of the URL block required by Microsoft, Jang offered a less specific alternative that would cover a wider range of attacks: “.autodiscover\.json.*PowerShell.*”
Microsoft’s mitigation instructions apply to on-premise Exchange Server customers and that Exchange Outline clients do not need to take action.
However, many organizations have a hybrid setup that combines on-prem with Microsoft Exchange’s cloud deployment.
Some organizations believe that a hybrid Microsoft Exchange setup would protect them from attack. However, security expert Kevin Beaumont explained that once there is an on-premise Exchange Server deployment, the organization remains at risk.
The sources for this piece include an article in BleepingComputer.