CVE-2022-41040 and CVE-2022-41082 are two security flaws in Microsoft Exchange Server that have been actively attacked since September. These are addressed by two of the critical upgrades.
Security Updates (SUs) have been made available by Microsoft for vulnerabilities discovered in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Both the original update packages (.msp files) and self-extracting auto-elevating.exe packages for SUs are available from the Microsoft Update Catalog.
The following specific Exchange Server versions can use the November 2022 SUs:
Because we are aware of operating exploits of related vulnerabilities, we recommend that you install these updates immediately to protect yourself from these attacks.
The zero-day vulnerabilities published publicly on September 29, 2022 are fixed in the November 2022 SUs (CVE-2022-41040 and CVE-2022-41082).
Customers of Exchange Online are already shielded from the security holes fixed in these SUs, therefore all that is required of them is to update any Exchange servers that are present in their environment.
The Security Update Guide has more details about particular CVEs (filter – Exchange Server under Product Family).
Microsoft has released the following updates below:
You can find FAQs for these vulnerabilities here.