by Joe Panettieri • Oct 3, 2022
The latest Microsoft Exchange Zero Day vulnerabilities may further motivate MSPs and MSSPs to accelerate customer migrations to Microsoft 365 cloud services — where Exchange Online does not suffer from such vulnerabilities.
Still, thousands of customers and IT service providers worldwide continue to run on-premises Exchange servers because of customized and/or compliance-related needs. Alas, those on-premises deployments — involving Microsoft Exchange Server 2013, 2016 and 2019 — contain Zero Day Vulnerabilities that hackers are now exploiting, Microsoft has disclosed.
Within the mitigation guidance, Microsoft emphasized that “Exchange Online customers do not need to take any action” because the cloud-based email system does not contain the vulnerabilities.
Meanwhile, the on-premises Exchange vulnerabilities were first reported on September 29 by Vietnamese security firm GTSC, which warned of an attack campaign using the zero-days could lead to remote code execution, SC Media reported.
Microsoft said the first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, SC Media added. The second vulnerability – CVE-2022-41082 – allows remote code execution (RCE) when PowerShell is accessible to the attacker, SC Media noted.
On-premises Microsoft Exchange vulnerabilities remain frequent targets of cyberattacks, Cybereason explained in January 2022. Earlier problems involved an Exchange Autodiscover Flaw, multiple ProxyShell vulnerabilities, and the so-called Hafnium email hacks.
Threat hunting can certainly help to protect on-premises Exchange servers from hackers. But ultimately, running Microsoft 365 is likely a lower-risk approach for email security since Microsoft ultimately is responsible for maintaining and patching the cloud-based system…
Note: If you can’t migrate customers to cloud-based email and need to maintain on-premises Microsoft Exchange deployments, please email me the reasoning (joe.panettieri@CyberRiskAlliance.com) to help ensure balanced, informed coverage on MSSP Alert.
Curious as to how we know that Exchange Online does not have the same vulnerabilities.
Your email address will not be published.
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );