CVE-2022-41080
Published: 09 November 2022
Summary
CVE-2022-41080 is a high-severity an unspecified weakness vulnerability in Microsoft Exchange Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Exchange Server contains an elevation of privilege vulnerability tracked as CVE-2022-41080. The flaw received a CVSS 3.1 base score of 8.8, reflecting a network-accessible attack that requires only low privileges and no user interaction to obtain full confidentiality, integrity, and availability impact on affected systems.
An authenticated attacker with low-privileged access to an Exchange deployment can exploit the issue to elevate rights and perform actions that would otherwise be restricted, such as accessing or modifying sensitive mailbox data and server configuration.
Microsoft has published security updates addressing the vulnerability through its update guide, and CISA has added CVE-2022-41080 to its catalog of known exploited vulnerabilities, confirming in-the-wild exploitation. The associated EPSS score remains consistently high, with a current value of 0.9379 and a peak of 0.9381.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44324
Vulnerability details
Microsoft Exchange Server Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 10 January 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patches that close the EoP flaw in Exchange Server.
Limits the rights of the low-privileged accounts that the vulnerability allows to be escalated to full server control.
Enforces the authorization decisions that the flaw bypasses, blocking the unauthorized privilege elevation.