Microsoft Exchange Zero Day Vulnerabilities: The Final Straw for On-Premises Email Servers?

NEW YORK, NY – MAY 2: The Microsoft logo is illuminated on a wall during a Microsoft launch event to introduce the new Microsoft Surface laptop and Windows 10 S operating system, May 2, 2017 in New York City. The Windows 10 S operating system is geared toward the education market and is Microsoft’s answer to Google’s Chrome OS. (P...

The latest Microsoft Exchange Zero Day vulnerabilities may further motivate MSPs and MSSPs to accelerate customer migrations to Microsoft 365 cloud services -- where Exchange Online does not suffer from such vulnerabilities.

Still, thousands of customers and IT service providers worldwide continue to run on-premises Exchange servers because of customized and/or compliance-related needs. Alas, those on-premises deployments -- involving Microsoft Exchange Server 2013, 2016 and 2019 -- contain Zero Day Vulnerabilities that hackers are now exploiting, Microsoft has disclosed.

Within the mitigation guidance, Microsoft emphasized that "Exchange Online customers do not need to take any action" because the cloud-based email system does not contain the vulnerabilities.

Microsoft Exchange Server Vulnerabilities: Current and Previous Issues

Meanwhile, the on-premises Exchange vulnerabilities were first reported on September 29 by Vietnamese security firm GTSC, which warned of an attack campaign using the zero-days could lead to remote code execution, SC Media reported.

Microsoft said the first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, SC Media added. The second vulnerability – CVE-2022-41082 – allows remote code execution (RCE) when PowerShell is accessible to the attacker, SC Media noted.

On-premises Microsoft Exchange vulnerabilities remain frequent targets of cyberattacks, Cybereason explained in January 2022. Earlier problems involved an Exchange Autodiscover Flaw, multiple ProxyShell vulnerabilities, and the so-called Hafnium email hacks.

Microsoft 365 and Exchange Online: Automated Patch Management

Threat hunting can certainly help to protect on-premises Exchange servers from hackers. But ultimately, running Microsoft 365 is likely a lower-risk approach for email security since Microsoft ultimately is responsible for maintaining and patching the cloud-based system...

Note: If you can't migrate customers to cloud-based email and need to maintain on-premises Microsoft Exchange deployments, please email me the reasoning ([email protected]) to help ensure balanced, informed coverage on MSSP Alert.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.