One (CVE-2022-41040) is a is a Server-Side Request Forgery (SSRF) vulnerability, an exploit that allows attackers to make server-side application requests from an unintended location – for example, allowing them to access internal services without being within the perimeter of the network.
The other (CVE-2022-41082) allows remote code execution when PowerShell is accessible to the attacker.
When combined, CVE-2022-4140 can allow attackers to trigger CVE-2022-41082 – although Microsoft notes that this is only possible if the attacker has also authenticated access to the vulnerable Exchange Server.
Nonetheless, Microsoft says it's "aware of limited targeted attacks using the two vulnerabilities to get into users' systems" and that the company is working on an "accelerated timeline" to release a fix.
To mitigate the vulnerabilities for now, on-premises Microsoft Exchange customers should review and apply URL Rewrite Instructions detailed in the alert and block exposed Remote PowerShell ports. Microsoft says Exchange Online customers don't need to take any action.
"Microsoft Exchange Online has detections and mitigation in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers," the company said - however other cybersecurity researchers have suggested Microsoft Exchange Online customers could be affected.
Currently, there's no publicly disclosed information about who is being targeted by attacks exploiting the zero-day vulnerabilities or who could be behind the attacks.
"We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the temporary remedy as soon as possible to avoid potential serious damages," said researchers at GTSC.