Attacker Value

Moderate

(1 user assessed)

Exploitability

Moderate

(1 user assessed)

User Interaction

CVE-2022-41080

Disclosure Date: November 09, 2022 •

CVE-2022-41080 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by ccondon-r7 and 2 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Common in enterprise Difficult to patch Easy to weaponize Vulnerable in default configuration Authenticated

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.

Add Assessment

zeroSteiner (310)

January 10, 2023 3:53pm UTC (2 months ago)•Edited 1 month ago

Ratings

Attacker Value

Medium

Exploitability

Medium

Common in enterprise Difficult to patch Easy to weaponize Vulnerable in default configuration Authenticated

Technical Analysis

This is an alternative method for bypassing Exchange Emergency Mitigation Service (EEMS) protections for the ProxyNotShell exploit chain. When this CVE is combined with CVE-2022-41082, they yield code execution as NT AUTHORITY\SYSTEM.

Installing the original patches from Microsoft that were released in November fix this exploit chain as well. The technique is arguably redundant when EEMS can be bypassed using various encoding techniques. This alternative vector is likely most valuable when used to avoid generating exploitation following the original pattern.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

microsoft

Products

exchange server 2013,
exchange server 2016,
exchange server 2019

Exploited in the Wild

Reported by:

ccondon-r7 indicated sources as

Personally observed in an environment (https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/)
Other: Rapid7 Managed Detection and Response observed exploitation to deploy ransomware in multiple customer environments (https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/)

Reported: December 27, 2022 4:44pm UTC (3 months ago)

zeroSteiner indicated source as Vendor Advisory

Reported: January 10, 2023 3:53pm UTC (2 months ago)

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: January 11, 2023 5:15am UTC (2 months ago) • Edited 2 months ago

References

Canonical

CVE-2022-41080 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41080)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41080

Rapid7

Moderate

CVE-2022-41080

Moderate

Moderate

None

None

Network

CVE-2022-41080

Description