Government of the Republic of Trinidad and Tobago

TTCSIRT-406.30.09.22: Critical Microsoft Exchange 0-Day Vulnerability Actively Exploited

TTCSIRT-406.30.09.22: Critical Microsoft Exchange 0-Day Vulnerability Actively Exploited

Critical Microsoft Exchange 0-Day Vulnerability Actively Exploited


The two vulnerabilities for on-premise Microsoft Exchange have been discovered and are now being tracked as a Server-Side Request Forgery vulnerability, CVE-2022-41040, and a remote code execution vulnerability, CVE-2022-41082. The two vulnerabilities are being exploited together to remotely trigger arbitrary code execution which essentially allows threat actors to gain a foothold in the victim’s systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network.


Exchange servers that have been targeted and successfully exploited may have obfuscated web shells dropped onto the server, in the paths listed below, through POST requests coming from a user-agent, Antsword.

RedirSuiteServiceProxy.aspxC:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
pxh4HG1v.ashxC:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

The following methods can be used to detect if an organization’s Exchange Server has been exploited thanks to the team over at GTSC, a Technology company in Vietnam.

Method 1: Use PowerShell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200

Method 2: Use the tool developed by GTSC:

Based on the exploit signature, we build a tool to search with a much shorter time needed than using Powershell. The link to download:


There is currently no patch from Microsoft, however, Microsoft is urging customers to add a blocking rule in IIS Manager as a temporary workaround to mitigate potential threats. This can be done by following the steps below.

  1. Open IIS Manager. 
  2. Select Default Web Site.
  3. In the Feature View, click URL Rewrite.
  4. In the Actions pane on the right-hand side, click Add Rule(s)…  
  5. Select Request Blocking and click OK. 
  6. Add the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
  7. Select Regular Expression under Using.
  8. Select Abort Request under How to block and then click OK.
  9. Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions
  10. Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.