Getty Images/iStockphoto

Microsoft Exchange Zero-Day Vulnerabilities May Impact Healthcare Cybersecurity

Because Microsoft Exchange is so commonly used, the two recently discovered zero-day vulnerabilities may have an impact on healthcare cybersecurity.

Two zero-day vulnerabilities are being actively exploited in Microsoft Exchange Servers 2013, 2016, and 2019, and may impact healthcare cybersecurity.

The first vulnerability (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability, while the second (CVE-2022-41082) allows Remote Code Execution (RCE) if the attacker has access to PowerShell, Microsoft explained in an alert to customers.

A successful attack involves an authenticated attacker exploiting CVE-2022-41040 in order to remotely trigger CVE-2022-41082.

Microsoft “is aware of limited targeted attacks using these two vulnerabilities,” and noted that attackers must have authenticated access to the vulnerable Exchange Server in order to exploit either vulnerability.

“Microsoft Exchange is used in the Healthcare and Public Health (HPH) sector and therefore poses a significant threat,” HHS Health Sector Cybersecurity Coordination Center (HC3) reported in an alert.

However, HC3 acknowledged that the full impact of these vulnerabilities on the healthcare sector is not yet known.

“We are working on an accelerated timeline to release a fix,” Microsoft stated. While Microsoft works to develop patches, it urged Microsoft Exchange users to follow its mitigation tips. Exchange Online customers do not need to take any action.

Microsoft is continuing to add more detailed mitigations to its blog post and also strongly recommended that Exchange Server customers disable remote PowerShell access for non-admin users within their organizations.

“It is recommended that HPH organizations with on-premises Microsoft Exchange review and follow Microsoft’s guidance to apply necessary mitigations and patches once they become available,” HC3 added.

In other cybersecurity news, HC3 recently alerted the healthcare sector to a rise in monkeypox-themed phishing schemes.

In addition, HC3 issued a brief outlining the tactics and techniques of threat group APT41, and CISA and the NSA released an advisory addressing industrial control system (ICS) and operational technology (OT) cybersecurity.

Healthcare organizations should remain aware of the latest cyber threats and thoughtfully employ defensive measures.

Next Steps

Dig Deeper on Cybersecurity strategies