Hackers exploiting 2 new zero-day bugs in Exchange Server: Microsoft

The company said an attacker would need authenticated access to the vulnerable Exchange Server, such as stolen credentials, to successfully exploit either of the two vulnerabilities. "In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability," Microsoft said in a security update.

Microsoft has revealed it is investigating two new zero-day vulnerabilities affecting the company's Exchange Server which is actively being exploited by hackers.

Microsoft said it is aware of limited targeted attacks using these two vulnerabilities.

Advertisement

The company said an attacker would need authenticated access to the vulnerable Exchange Server, such as stolen credentials, to successfully exploit either of the two vulnerabilities.

"In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability," Microsoft said in a security update.

Advertisement

The company was working on an accelerated timeline to release a fix.

"Until then, we're providing mitigations and the detection guidance below to help customers protect themselves from these attacks," it added.

Advertisement

Also Read | Elon Musk unveils Tesla humanoid robot, may cost $20K

Last year, Microsoft released an emergency security update for its Exchange email and communications software as at least 30,000 organisations across the US were hit by hackers who stole email communications from their systems.

Advertisement

US President Joe Biden's administration had blamed China for the Microsoft Exchange email server software hacking.

The cyber attacks hit defence contractors, higher education institutions and nongovernmental organisations around the world.

Advertisement

Also Read | Vi to introduce 5G mobile cloud gaming service in India

Microsoft said that it was monitoring new zero-day "detections for malicious activity and we'll respond accordingly if necessary to protect customers".

Advertisement

"Exchange Online customers do not need to take any action," it added.
 

Advertisement
tags