Tech giant Microsoft has revealed it is investigating two new zero-day vulnerabilities affecting the company’s Exchange Server which is actively being exploited by hackers.
Microsoft said it is aware of limited targeted attacks using these two vulnerabilities.
The company said an attacker would need authenticated access to the vulnerable Exchange Server, such as stolen credentials, to successfully exploit either of the two vulnerabilities.
“In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft said in a security update.
The company was working on an accelerated timeline to release a fix.
“Until then, we’re providing mitigations and the detection guidance below to help customers protect themselves from these attacks,” it added.
Last year, Microsoft released an emergency security update for its Exchange email and communications software as at least 30,000 organizations across the US were hit by hackers who stole email communications from their systems.
US President Joe Biden’s administration had blamed China for the Microsoft Exchange email server software hacking.
The cyber attacks hit defense contractors, higher education institutions, and nongovernmental organizations around the world.
Microsoft said that it was monitoring new zero-day “detections for malicious activity and we’ll respond accordingly if necessary to protect customers”.
“Exchange Online customers do not need to take any action,” it added.
