Two zero-day vulnerabilities(CVE-2022-41040 and CVE-2022-41082) were recently reported to Microsoft affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. 

Based on the report by Microsoft, authenticated access to the vulnerable server is required to successfully perform the exploitation of the vulnerable server.

At the time of writing, no security fix is currently available, hence, Microsoft provided mitigation and detection guidance to help their Microsoft Exchange Online customers.


A. Nature of the Vulnerability


  • Successful exploitation could allow an authenticated attacker to trigger CVE-2022-41082 remotely in these attacks.


  • Successful exploitation could allow remote code execution (RCE) when PowerShell is accessible to the attacker.


B. Affected Version

Microsoft Exchange Server 2013, 2016 and 2019


C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • CERT-PH encourages all on-premises Microsoft Exchange users/administrators to review the advisory and apply the mitigation plan while waiting for the official fix to be released.
    • Option 1: For customers who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. 
    • Option 2: Microsoft developed a tool named Exchange On-premises Mitigation Tool v2 (EOMTv2). This will mitigate current known attacks using CVE-2022-41040 via a URL Rewrite configuration.
      1. Note: The script has to be executed individually for each server.
    • Option 3: Manually configure the URL Rewrite Mitigation by following the steps provided by Microsoft.
  • For added security, administrators are urged to disable the remote Powershell to standard users within your organization. You may follow the step by clicking this link.
  • For additional information, kindly refer to the official report