CVE-2022-41040
Published: 03 October 2022
Summary
CVE-2022-41040 is a high-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2022-41040 is an elevation of privilege vulnerability affecting Microsoft Exchange Server and is tracked under CWE-918 with a CVSS 3.1 score of 8.8 reflecting network attack vector, low attack complexity, low required privileges, and no user interaction. Successful exploitation can produce high impact across confidentiality, integrity, and availability on the affected server.
An authenticated attacker with low privileges can exploit the flaw remotely to elevate privileges and obtain unauthorized access or control within the Exchange environment. The vulnerability has been publicly associated with ProxyNotShell attack chains that combine it with related issues to achieve remote code execution.
Microsoft Security Response Center advisories and the November 2022 Patch Tuesday release direct administrators to apply the vendor-supplied security updates for Exchange Server. Additional guidance appears in the coordinated CERT and vendor portals referenced for the CVE.
The EPSS score reached a peak of 0.9685 and remains at 0.9415, indicating sustained exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44285
Vulnerability details
Microsoft Exchange Server Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 30 September 2022
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that close the Exchange EoP flaw before exploitation.
Limits privileges of authenticated accounts, reducing the impact and feasibility of successful privilege escalation.
Enforces access-control decisions that block the unauthorized elevation path exploited by the SSRF-based attack.