Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Microsoft on Tuesday released software fixes to address more than 90 security defects affecting products in the Windows ecosystem and warned that one of the vulnerabilities was already being exploited as zero-day in the wild.

Microsoft on Tuesday released software fixes to address more than 90 security defects affecting products in the Windows ecosystem and warned that one of the vulnerabilities was already being exploited as zero-day in the wild.

The exploited vulnerability – documented as CVE-2022-41033 – affects the Windows COM+ event system service and has been exploited in elevation of privilege attacks, suggesting it was used as part of an exploit chain detected in the wild.

The latest zero-day was reported anonymously to Microsoft.

The new warning comes less than a month after Microsoft’s security response team scrambled to issue mitigations for a pair of Exchange Server flaws targeted by a nation state-level threat actor.

Those two Exchange Server vulnerabilities – CVE-2022-41040 and CVE-2022-41082 — remain unpatched.

[ READ: Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce ]

The existence of the Exchange Server vulnerabilities became public in late September, when Vietnamese cybersecurity company GTSC reported seeing two previously unknown Exchange flaws being exploited in August against critical infrastructure.  

Microsoft conducted its own analysis and determined that a single state-sponsored threat actor has exploited the zero-days in highly targeted attacks aimed at fewer than 10 organizations. 

The unpatched flaws are documented as a server-side request forgery (SSRF) issue that can be exploited for privilege escalation (CVE-2022-41040) and a remote code execution flaw when PowerShell is accessible to the attacker (CVE-2022-41082). 

Redmond did not provide a timeline for when Windows users can expect the Exchange Server fixes.  

As part of the October batch of Patch Tuesday updates, Redmond documented 85 security defects in Microsoft Windows and operating system components and a dozen flaws addressed in the Microsoft Edge (Chromium-based) browser.

[ READ: Microsoft Confirms Exploitation of Two Exchange Server Zero-Days ]

According to vulnerability trackers at ZDI, 15 of the 85 vulnerabilities are rated critical, Microsoft’s highest severity rating.  The critical-level issues affect Active Directory, Azure, Microsoft Office, SharePoint, Hyper-V and the Windows Point-to-Point tunneling protocol.

Silicon Valley software maker Adobe also joined the Patch Tuesday train with the release of patches for 29 documented vulnerabilities across multiple enterprise-facing products.

Adobe warned the vulnerabilities could expose both Windows and macOS users to arbitrary code execution, arbitrary file system write, security feature bypass and privilege escalation attacks.

The most urgent of the patches cover security defects in ColdFusion versions  2021 and 2018.  According to an Adobe critical-rated advisory, a total of 13 ColdFusion flaws were fixed, including some carrying a CVSS 9.8/10 severity rating.

Adobe’s security response team also shipped a high-priority patch for the Adobe  Commerce and Magento Open Source software with a warning that a critical-level bug could expose users to arbitrary code execution attacks.

Related: Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce

Related: Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hackers

Related: Mitigation for ProxyNotShell Exchange Vulnerabilities Easily Bypassed 

Related: Microsoft Confirms Exploitation of Two Exchange Server Zero-Days

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.