CVE-2022-41080

What is Microsoft Exchange Server OWA?

Microsoft Exchange Server's Outlook Web App (OWA) is the web-based email client interface for Exchange, accessible via HTTPS and used by millions of corporate users for webmail access. Exchange's backend is a distributed system with multiple components — the OWA frontend, the Exchange backend (Exchange Information Store), the Mailbox Role, and PowerShell Remoting endpoints — all communicating internally via HTTP. Server-side request forgery (SSRF) in OWA allows an authenticated attacker to forge HTTP requests from the OWA frontend to Exchange backend components with elevated privileges — effectively using OWA as a proxy to reach internal Exchange services that would otherwise require administrative credentials. Exchange Server is a high-priority target: full Exchange compromise provides access to all corporate email, calendar, and contact data, and Exchange servers hold privileged positions in Active Directory.

Overview

CVE-2022-41080 is a server-side request forgery (SSRF, CWE-918) in Microsoft Exchange Server's Outlook Web App that allows an authenticated low-privilege user to escalate their access to Exchange backend components by crafting requests through the OWA SSRF path. It forms the first stage of the OWASSRF exploitation chain (CVE-2022-41080 + CVE-2022-41082), which enables an authenticated low-privilege Exchange user to achieve remote code execution on the Exchange server. The OWASSRF chain was discovered by CrowdStrike in December 2022 as the bypass for Microsoft's URL rewrite mitigation for the earlier ProxyNotShell (CVE-2022-41040 + CVE-2022-41082) chain. Play ransomware operators actively used OWASSRF for initial access before CISA added CVE-2022-41080 to KEV in January 2023.

Affected Versions

Technical Details

Server-side request forgery (CWE-918) in Exchange OWA allows an authenticated user to construct requests that OWA's frontend forwards to Exchange backend endpoints using OWA's elevated service credentials. The OWASSRF exploit chain:

1. Authenticate to Exchange OWA — any valid Exchange mailbox user account suffices; no Exchange admin role is needed
2. Exploit CVE-2022-41080 (SSRF) — craft a specially formed OWA request that causes OWA to proxy the request to an Exchange backend PowerShell endpoint (Exchange's PowerShell Remoting, exposed at /powershell) using OWA's elevated credentials instead of the user's credentials
3. Reach Exchange PowerShell Remoting — OWA's forged request reaches the Exchange PowerShell endpoint in an authenticated, elevated context — bypassing both authentication requirements and Microsoft's URL rewrite mitigation for CVE-2022-41040 (which blocked autodiscover paths used in ProxyNotShell but not the OWA path used in OWASSRF)
4. Exploit CVE-2022-41082 (RCE) — use the elevated PowerShell Remoting access to trigger Exchange's .NET deserialization RCE vulnerability, achieving SYSTEM-level code execution on the Exchange server

The OWASSRF discovery by CrowdStrike in December 2022 confirmed that Microsoft's ProxyNotShell URL-rewrite mitigation was insufficient — organizations that had applied the mitigation but not the November patch were still vulnerable to Exchange compromise via OWASSRF.

Discovery

CrowdStrike's Incident Response team discovered OWASSRF in December 2022 while investigating Play ransomware incidents where Exchange servers were compromised despite organizations having applied Microsoft's ProxyNotShell URL rewrite mitigation. CrowdStrike published OWASSRF technical details on December 20, 2022, at which point organizations were urgently advised to apply the November 2022 Exchange Security Updates rather than relying on the mitigation.

Exploitation Context

Play ransomware (also called PlayCrypt) used OWASSRF as a primary initial access vector against Exchange Server deployments throughout late 2022 and early 2023. The OWASSRF chain was attractive because:

• Any valid Exchange mailbox user account could trigger the exploit — no elevated Exchange permissions needed
• Microsoft's widely-deployed URL rewrite mitigation for ProxyNotShell was ineffective against OWASSRF
• Exchange servers are internet-accessible by design for email delivery, eliminating the need for any prior foothold
• Exchange compromise provides direct access to all corporate email and a SYSTEM shell on a centrally positioned server

Play ransomware's use of OWASSRF for Exchange initial access was confirmed in CrowdStrike incident investigations and subsequently documented by Microsoft and CISA.

Remediation

1. Apply the November 2022 Exchange Security Updates — patches both CVE-2022-41080 and CVE-2022-41082 across Exchange 2013, 2016, and 2019; do not rely on the URL rewrite mitigation alone, as it does not prevent OWASSRF.
2. Remove the ProxyNotShell URL rewrite mitigation — if the mitigation was applied and the November 2022 SU has since been installed, remove the URL rewrite rule as it is no longer needed and the SU is the correct fix.
3. Apply all subsequent Exchange Security Updates — keep Exchange Server current with monthly security updates; Exchange is a sustained exploitation target.
4. Monitor for anomalous OWA request patterns — review Exchange IIS logs for unusual requests to /powershell or /ecp endpoints from OWA proxy paths; look for POST requests to powershell from OWA client IP addresses.
5. Review Exchange server for web shells — OWASSRF exploitation often results in web shell installation on Exchange (ASPX files in Exchange virtual directories); run the Microsoft Exchange Emergency Mitigation Service (ESET) health check and review IIS virtual directory contents.