Suspected Post-Authentication Zero-Day Vulnerabilities in Microsoft Exchange Server

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/

Suspected Post-Authentication Zero-Day Vulnerabilities in Microsoft Exchange Server

On Thursday, September 29, a Vietnamese security firm called GTSC published information and IOCs on what they claim is a pair of unpatched Microsoft Exchange Server vulnerabilities being used in attacks on their customers’ environments dating back to early August 2022. The impact of exploitation is said to be remote code execution. From the information released, both vulnerabilities appear to be post-authentication flaws. According to GTSC, the vulnerabilities are being exploited to drop webshells on victim systems and establish footholds for post-exploitation behavior.

There has been no formal communication from Microsoft confirming or denying the existence of the flaws as of 4:30 PM EDT on Thursday, September 29. Our own teams have not validated the vulnerabilities directly.

Notably, it appears that both vulnerabilities have been reported to (and accepted by) Trend Micro’s Zero Day Initiative (ZDI) for disclosure coordination and are listed on ZDI’s site as “Upcoming Advisories.” This lends credibility to the claim, as does the specificity of the indicators shared in the firm’s blog. You can view the two reported vulnerabilities on this page by searching ZDI’s advisories for ZDI-CAN-18802 and ZDI-CAN-18333.

We are monitoring for additional detail and official communications and will update this blog with further information as it becomes available.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.