The Exchange Server zero-day vulnerability is actively being exploited
A zero-day vulnerability is currently being actively exploited in Exchange Server 2013, 2016, and 109. There is currently no security update for the following vulnerabilities: CVE-2022-41040 CVE-2022-41082 But there is a remedy to prevent a successful attack. To prevent exploitation of the vulnerability, a rule for the URL Rewrite function can be created.
Step 1
To do this, first select the autodiscover directory of the default website in IIS Manager:
Step 2
A new rule can then be created under the item “Add rules…”:
Step 3
“Block request” should be selected as template:
Step 4
Enter the following string in the Pattern (URL path) field:
Step 5
The “Using” field needs to be changed from “Wildcard” to “Regular Expressions”:
Step 6
The newly added line is now expanded and edited;
Step 7
In the “Condition Input” field, {URI} has now been changed to {REQUEST_URI}:
Step 8
The rule is now complete and prevents the current attack. Once a security update is available, it should be installed as soon as possible.
Step 9.
Authenticated users with access to PowerShell Remoting may attempt to exploit the CVE-2022-41082 vulnerability. Since PowerShell Remoting hopefully cannot be accessed from the Internet in any environment, the attack vector is limited to the local network. To make this attack more difficult, the two ports for PowerShell remoting can be blocked on the Windows firewall:
Step 10
“Block the connection” is selected as the action:
Step 11.
The rule should now be given a name and can then be saved:
The following link provides more information about the vulnerability:
This link also contains information on how to identify an attack that has already been successful.
24 hours a day, 365 days a year
IT Support
Our IT support is excellently organized. Our employees are available 365 days a year, 24 hours a day, 7 days a week.
EN 
NL 
