New Microsoft Exchange Exploit Chain via “OWASSRF” Leads to RCE

Share :

Arctic Wolf has observed an increase in exploitation of CVE-2022-41080 and CVE-2022-41082 in recent Incident Response engagements where the vulnerabilities were chained together to achieve remote code execution (RCE). This exploit chain bypasses the ProxyNotShell URL rewrite mitigations that were shared by Microsoft in September and October.  

Organizations that run Microsoft Exchange on-premises or in a hybrid model should install the November patches provided by Microsoft to reduce the potential for successful exploitation. The URL rewrite mitigations that were originally provided by Microsoft will not protect you against this new exploit chain.  

Note: Exchange Online is not affected and organizations do not need to take action.  


Recommendation #1: Apply Security Updates to Impacted Products 

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. All vulnerabilities reported above have been used in intrusions and are being actively exploited by threat actors. 

Note: Arctic Wolf recommends the following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact. 

Vulnerability  Impacted Product  Update Catalog 


Microsoft Exchange Server 2019, 2016, and 2013  KB5019758 


Recommendation #2: Disable On-Premises Web Services for Microsoft 365 Deployments in a Hybrid Configuration 

If possible, update your Exchange configuration to point to cloud-hosted versions of OWA, ECP, and Autodiscover instead of on-premises instances of these services. This will not only prevent exploitation of this vulnerability but will also protect against future vulnerabilities of a similar nature involving Exchange web services hosted on-premises. 

For more details, see the following article:  

Recommendation #3: Restrict Access to External-Facing Exchange Servers 

Practice the principle of least-privilege when configuring your Microsoft Exchange Server. Leverage Access Control List (ACL) restrictions on Exchange Control Panel (ECP) and other directories within IIS. The ECP directory should not be exposed to the Internet unless absolutely necessary. 

Restrict access to Exchange Servers via VPN for approved users; deny access from TOR, proxy, and third-party VPN IPs to limit exploitation. Furthermore, restrict unnecessary ports and traffic from the Exchange Server. 

  • Note: Necessary ports for outbound traffic from Exchange Server are 25, 53, 123, 80, and 443 

Recommendation #4: Disable Remote PowerShell Access for Non-Admins 

Practice the principle of least-privilege when configuring your Microsoft Exchange Server. Disable remote PowerShell access for all non-admin users within your environment. For additional guidance follow Microsoft’s Control Remote PowerShell Access to Exchange Servers documentation. 


Picture of James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Subscribe to our Monthly Newsletter