How to manage Microsoft’s two new zero-day vulnerabilities

The CEO and founder of a stealth startup recently told an audience at an In-Q-Tel event that the likelihood of one of the 100 Common Vulnerabilities and Exposures (CVE) listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog being actively exploited is 2.5%.

This may not seem like a large figure. But when an organization’s systems are subject to a known and publicized vulnerability, regulatory mandates may require it to mitigate that vulnerability in a set timeframe, based on its criticality.

On September 29, 2022, Microsoft reported two zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016 and 2019. The first vulnerability allows an attacker to become authenticated, which then allows the authenticated attacker to remotely trigger the other CVE — a remote code execution (RCE) when PowerShell is accessible to the attacker.

According to Microsoft, “Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.” Organizations should nevertheless respond quickly.

Mitigation steps

Per guidance from Microsoft, Exchange Online customers do not need to take any action.

For those not using Exchange Online, the current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns. Exchange Server customers should review and choose only one of the following three options:

Insurance considerations

Cyber insurers are reacting to the report of the Exchange Server zero-day vulnerabilities. Among other questions, underwriters are beginning to ask:

1. Does the insured utilize on premises versions of Microsoft Exchange Server?

2. Has the insured applied the mitigation settings recommended by Microsoft?

3. Has the insured reviewed its environment for indicators of compromise and can it confirm none were found?

4. If indicators of compromise were found, have they been remediated?

These and any known vulnerabilities should be addressed by your overall vulnerability and patch management program, which should monitor and alert you about identified vulnerabilities. This gives your organization the ability to analyze, prioritize and address vulnerabilities to reduce exposures as efficiently and effectively as possible.

Other controls

Your ability to identify and mitigate known vulnerabilities is critical to protecting your organization from catastrophic cyber events and losses. Lockton recommends that all companies with potential vulnerabilities consider taking the following five actions:

  1. Patch software now. Your analysis of criticality can help you prioritize and focus your patching efforts on all key assets.

  2. Commit to backing up data on a regular cadence and maintain the most current backup copy offline and off-site.

  3. Enable file extensions, which makes it easier to identify file types not generally sent to you and various users. Your IT department or managed service provider can execute this for all users.

  4. Do not enable macros in document attachments received via email. Most infections rely on you to enable macros to execute their maliciousness.

  5. Be cautious about unsolicited attachments and train your workforce how to spot unsolicited emails and attachments on their primary access devices, such as mobile phones. Note that such attachments can look different on a computer screen versus a mobile phone screen.

For more information, contact your Lockton adviser or email us at