CVE-2022-41040

ENISA EUVD: EUVD-2022-44285 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 14 articles Published: 2022-10-03

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

94.22%

probability

This CVE has a 94.22% probability of being exploited in the next 30 days.

0% Top 99.9th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Temporal

Exploit Code Maturity

Proof-of-Concept

Remediation Level

Official Fix

Report Confidence

Confirmed

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Description

NVD

Microsoft Exchange Server Elevation of Privilege Vulnerability

Affected Products

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 23

15.00.0

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 22

15.0.0

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 11

15.02.0

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 12

15.02.0

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 23

15.01.0

microsoft

exchange server

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 12

15.02.0 <15.02.1118.020

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 23

15.01.0 <15.01.2507.016

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 22

15.0.0 <15.01.2375.037

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 11

15.02.0 <15.02.0986.036

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 23

15.00.0 <15.00.1497.044

Attack Intelligence

CWE-441 CWE-610 · Externally Controlled Reference to a Resource in Another Sphere CWE-664 · Improper Control of a Resource Through its Lifetime CWE-918 · Server-Side Request Forgery

Google Project Zero

Patched

Nov. 8, 2022

Reported by

DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC working with Trend Micro Zero Day Initiative

Root Cause Analysis

???

Exploits & PoC

kljunowsky/CVE-2022-41040-POC

CVE-2022-41040 - Server Side Request Forgery (SSRF) in Microsoft Exchange Server

91 2023-01-21

TaroballzChen/CVE-2022-41040-metasploit-ProxyNotShell

the metasploit script(POC) about CVE-2022-41040. Microsoft Exchange are vulnerable to a server-side request forgery (SSRF) attack. An authenticated at

35 2022-10-20

numanturle/CVE-2022-41040

CVE-2022-41040 nuclei template

19 2022-10-02

r3dcl1ff/CVE-2022-41040

mitigation script for MS Exchange server vuln

5 2022-10-04

d3duct1v/CVE-2022-41040

Code set relating to CVE-2022-41040

5 2022-10-06

rjsudlow/proxynotshell-IOC-Checker

Script to check for IOC's created by ProxyNotShell (CVE-2022-41040 & CVE-2022-41082)

5 2022-10-09

ITPATJIDR/CVE-2022-41040

1 2022-10-15

CentarisCyber/CVE-2022-41040_Mitigation

0 2022-10-11

0-Gram/CVE-2022-41040

0 2024-11-23

9 repos — triés par ⭐ Rechercher sur GitHub ↗

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040

vendor-advisory

Signal Intelligence

Confidenceⓘ

82%

EPSS 94.22%

CVSS v3.1 8.8

Mentions 14

Last Seen Feb 25, 2025

CNA Information

CNA Assigner

microsoft

CNA Title

Microsoft Exchange Server Elevation of Privilege Vulnerability

Analyst Note

CVE-2022-41040 is confirmed as an elevation of privilege vulnerability in Microsoft Exchange Server with a high CVSS score of 8.8, inclusion in Google Project Zero research, and documentation in CERT-EU security advisories indicating active exploitation. The evidence strongly supports the confirmed status, though the single article and absence from CISA KEV list warrant a slightly conservative confidence level.