Cyber Resilience

CVE-2022-41040

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 03 October 2022

Published
03 October 2022
Modified
30 October 2025
KEV Added
30 September 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9994 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2022-41040 is a high-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2022-41040 is an elevation of privilege vulnerability affecting Microsoft Exchange Server and is tracked under CWE-918 with a CVSS 3.1 score of 8.8 reflecting network attack vector, low attack complexity, low required privileges, and no user interaction. Successful exploitation can produce high impact across confidentiality, integrity, and availability on the affected server.

An authenticated attacker with low privileges can exploit the flaw remotely to elevate privileges and obtain unauthorized access or control within the Exchange environment. The vulnerability has been publicly associated with ProxyNotShell attack chains that combine it with related issues to achieve remote code execution.

Microsoft Security Response Center advisories and the November 2022 Patch Tuesday release direct administrators to apply the vendor-supplied security updates for Exchange Server. Additional guidance appears in the coordinated CERT and vendor portals referenced for the CVE.

The EPSS score reached a peak of 0.9685 and remains at 0.9415, indicating sustained exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Microsoft Exchange Server Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
30 September 2022

Related Threats

CVEs Like This One

CVE-2021-34473Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-26855Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-31207Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-27065Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-34523Same product: Microsoft Exchange Serverboth on KEV
CVE-2022-41082Same product: Microsoft Exchange Serverboth on KEV
CVE-2026-42897Same product: Microsoft Exchange Serverboth on KEV
CVE-2025-21177Same vendor: Microsoft
CVE-2026-41091Same vendor: Microsoftboth on KEV
CVE-2025-68645Same product class: email / collaborationboth on KEV

Affected Assets

microsoft
exchange server
2013, 2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that close the Exchange EoP flaw before exploitation.

prevent

Limits privileges of authenticated accounts, reducing the impact and feasibility of successful privilege escalation.

prevent

Enforces access-control decisions that block the unauthorized elevation path exploited by the SSRF-based attack.

References