CVE-2022-41040

Published: Oct 3, 2022Modified: Oct 30, 2025CISA KEV

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: secure@microsoft.com (Secondary)

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Affected (5)

Products: Microsoft: Exchange Server

1 product

Exchange Server

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Microsoft Exchange Server	Version 2013 cumulative_update_23
Microsoft Exchange Server	Version 2016 cumulative_update_22
Microsoft Exchange Server	Version 2016 cumulative_update_23
Microsoft Exchange Server	Version 2019 cumulative_update_11
Microsoft Exchange Server	Version 2019 cumulative_update_12

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040

Source: secure@microsoft.com

PatchVendor Advisory

http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationPatchVendor Advisory

https://www.kb.cert.org/vuls/id/915563

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.