Cybercriminals are exploiting two new zero-day bugs in Microsoft Exchange. Three weeks ago, the researchers reported the security flaws to Microsoft privately via Zero Day Initiative.

Abuse of zero-day flaws

Researchers from GTSC have spotted the attacks taking advantage of the zero-day flaw for remote code execution. Two of these flaws are tracked as CVE-2022-41040 and CVE-2022-41082.
  • The attackers have chained the zero-day flaws to drop China Chopper web shells on infected servers for persistence, data theft, and move laterally to other systems on the networks.
  • The researchers claimed that a Chinese threat group is behind these recent attacks, based on the web shells' code page using a Microsoft character encoding for simplified Chinese.
  • Further, a user agent employed for installing the web shells belongs to a China-based open-source website admin tool with web shell management support, identified as Antsword.

Zero Day Initiative is tracking the bugs as ZDI-CAN-18802 and ZDI-CAN-18333.

How flaws are exploited?

GTSC released only a few details related to the zero-day flaws as no patch is available yet. 
  • Researchers disclosed that the requests used in the exploit chain are similar to those used in attacks targeting the ProxyShell flaws.
  • The exploit works in two stages, where the first stage requests a similar format to the ProxyShell flaw.
  • The second is the use of the link above to access a component in the backend to implement RCE.


Microsoft hasn’t released security updates yet to address zero-days. However, GTSC has shared temporary mitigation which can be done by adding a new IIS server rule using the URL Rewrite Rule module. Organizations are suggested to apply the temporary fix as soon as possible to stay safe.
Cyware Publisher