CVE-2022-41040

CVE-2022-41040 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-09-30). The underlying weakness is classified as CWE-918.

Key facts

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2022-41040: Microsoft Exchange Server SSRF (ProxyNotShell) — High-Severity Elevation of Privilege

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2022-41040
CWE CWE-918 (Server-Side Request Forgery)
CVSS 3.1 8.8 (HIGH)
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS 0.99945 (99.97th percentile)
KEV Yes (added 2022-09-30)
Source NVD

Summary

CVE-2022-41040 is a high-severity vulnerability in Microsoft Exchange Server. The underlying weakness is CWE-918 (Server-Side Request Forgery), which allows an attacker with low-privileged network access to manipulate the server into making unintended requests. Microsoft classifies this as an elevation-of-privilege flaw, while security researchers and threat intelligence have tracked it as the first stage of the ProxyNotShell exploit chain, often paired with CVE-2022-41082 to achieve remote code execution.

Background

In late 2022, security researchers identified active exploitation against Microsoft Exchange Server instances. Attackers were leveraging an SSRF vulnerability to bypass authentication layers and interact with internal Exchange components. This activity was swiftly added to the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Vulnerability Database (EUVD-2022-44285), reflecting confirmed in-the-wild abuse.

Root Cause

The vulnerability stems from CWE-918: Server-Side Request Forgery. An attacker-controlled request is processed by the Exchange server without sufficient validation of the destination. The server then performs actions or returns data based on this crafted request, effectively acting as a proxy for the attacker against internal or external resources. The attack complexity is low, no user interaction is required, and the attacker only needs low privileges.

Impact

The CVSS 3.1 base score is 8.8 (HIGH) with the vector:

  • Attack Vector (AV): Network
  • Attack Complexity (AC): Low
  • Privileges Required (PR): Low
  • User Interaction (UI): None
  • Scope (S): Unchanged
  • Confidentiality (C): High
  • Integrity (I): High
  • Availability (A): High

This means an authenticated attacker can achieve high impact across confidentiality, integrity, and availability of the Exchange server. When chained with additional vulnerabilities, full remote compromise of the server is possible.

Exploitation Walkthrough

Ethics caveat: This section describes the vulnerability mechanism from a defensive viewpoint. No working exploit code is provided. Organizations should use this understanding to tune detection and hardening, not to attack systems without authorization.

The attack typically proceeds as follows:

  1. The attacker authenticates to the Exchange server with low-privileged credentials (or leverages an existing authenticated session).
  2. A specially crafted HTTP request is sent to an Exchange endpoint that performs backend URL resolution.
  3. The server processes the request and issues a secondary request to an attacker-specified target — often an internal endpoint such as the Exchange backend PowerShell API or other administrative interfaces.
  4. The response from the internal target is returned to the attacker, effectively granting unauthorized access to internal services.
  5. In the broader ProxyNotShell campaign, this SSRF was chained with CVE-2022-41082 to achieve authenticated remote code execution.

Affected and Patched Versions

Affected versions (based on CPE data):

  • Microsoft Exchange Server 2013 — Cumulative Update 23
  • Microsoft Exchange Server 2016 — Cumulative Update 22
  • Microsoft Exchange Server 2016 — Cumulative Update 23
  • Microsoft Exchange Server 2019 — Cumulative Update 11
  • Microsoft Exchange Server 2019 — Cumulative Update 12

Patched versions: Organizations should apply the November 2022 (or later) Exchange security updates and confirm the specific cumulative update guidance from Microsoft. Refer to the official Microsoft Security Response Center advisory for the latest patch applicability.

Remediation

  1. Apply official patches: Install the relevant Microsoft security updates for Exchange Server as detailed in the MSRC guidance.
  2. Compensating controls: If immediate patching is not feasible, restrict external access to Exchange Admin Center (EAC) and other management endpoints. Implement IP allowlisting where possible.
  3. Enable modern authentication: Reduce reliance on basic authentication pathways that may facilitate initial access.
  4. Network segmentation: Place Exchange servers in a restricted network segment and monitor outbound connections from these hosts.

Detection

  • Monitor IIS/Exchange logs for unusual POST or GET requests to Autodiscover, EWS, or PowerShell endpoints from unexpected IP addresses.
  • Look for anomalous backend connections from the Exchange server to internal services, especially those targeting /powershell or administrative APIs.
  • Correlate authentication logs with CISA KEV and EUVD-2022-44285 indicators.
  • Deploy endpoint detection and response (EDR) coverage on Exchange servers to catch anomalous process creation following web exploitation.

Assessment

CVE-2022-41040 carries an EPSS score of 0.99945 (99.97th percentile), indicating near-universal probability of exploitation in the wild. It has been on the CISA KEV catalog since 30 September 2022 and is marked as exploited in the EU vulnerability database. The combination of low attack complexity, network reachability, and high impact makes this a critical priority for patching.

Key lessons:

  • SSRF vulnerabilities in externally exposed enterprise applications are high-value targets because they bridge the network-security boundary.
  • Attackers actively chain SSRF with other flaws to maximize impact; treat SSRF findings with the same urgency as direct remote-code-execution bugs.

References

Frequently asked questions

What is CVE-2022-41040?
Microsoft Exchange Server Elevation of Privilege Vulnerability
How severe is CVE-2022-41040?
CVE-2022-41040 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-41040 being actively exploited?
Yes. CVE-2022-41040 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-09-30, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-41040?
CVE-2022-41040 primarily affects Microsoft Exchange Server. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-41040?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-41040 have an EU (EUVD) identifier?
Yes. CVE-2022-41040 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-44285. It is also flagged as exploited in the EUVD (since 2022-09-30).
When was CVE-2022-41040 published?
CVE-2022-41040 was published on 2022-10-03 and last updated on 2026-06-17.

References

Affected products (5)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities

Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →