Microsoft has released Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server. Two zero-day vulnerabilities CVE-2022-41040 and CVE-2022-41082 were discovered on on-premise installations of Microsoft Exchange Server 2013, 2016 and 2019, while for Microsoft Exchange Online it was confirmed that these vulnerabilities does not exist.

These two vulnerabilities (CVE-2022-41040 и CVE-2022-41082) allow attackers to execute an attack by running arbitrary code, and the condition for successful execution of the attack is the prior acquisition of the rights of an authenticated user.

National CERT advises users and administrators to apply mitigation measures from Microsoft’s Security Advisory to avoid compromising systems until security updates for these vulnerabilities become available.