HighCISA KEVExploited in the wildPublic exploit

OWASSRF in Microsoft Exchange Server

IdentifiersCVE-2022-41080CWE-918

CVE-2022-41080, dubbed OWASSRF by public researchers, is an authenticated server-side request forgery vulnerability in on-premises Microsoft Exchange Server Outlook Web Access (OWA). The issue arises from OWA request handling that allows attacker-controlled input from the X-OWA-ExplicitLogonUser header to influence ExplicitSignOnAddress during backend URL construction. Reported vulnerable code paths include OwaProxyRequestHandler.GetTargetBackEndServerUrl and OwaEcpProxyRequestHandler.GetClientUrlForProxy, with UrlHelper.RemoveExplicitLogonFromUrlAbsolutePath removing the explicit logon component from the path via string replacement. By supplying a value beginning with "owa/" in X-OWA-ExplicitLogonUser and crafting a request such as /owa/test%40gmail.com/mapi/nspi, an authenticated attacker can cause the frontend to rewrite and proxy the request to backend Exchange endpoints such as /mapi/nspi. Researchers also stated the flaw can expose backend /powershell access through OWA, enabling access to Exchange PowerShell remoting surfaces that are normally not remotely reachable in this manner. Microsoft classifies the issue as an Exchange Server elevation of privilege vulnerability, but the technical primitive described in the supporting content is authenticated SSRF.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to make the Exchange frontend issue backend requests in the security context of the authenticated user. This can expose internal Exchange endpoints, including /mapi/nspi and /powershell, that are not intended to be directly reachable from the attacker’s network position. In observed and reported exploitation chains, CVE-2022-41080 was used for initial access and to expose Exchange PowerShell, and was chained with CVE-2022-41082 or other post-access techniques to achieve broader compromise, including remote code execution and ransomware deployment. The practical impact is therefore unauthorized access to privileged internal Exchange functionality, expansion of reachable attack surface, and facilitation of full server compromise when chained.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of Exchange OWA/ECP to untrusted networks, restrict access to Exchange administrative and PowerShell endpoints, and monitor for anomalous OWA requests involving the X-OWA-ExplicitLogonUser header and unexpected access to backend paths such as /mapi/nspi or /powershell. Because exploitation is authenticated, enforce MFA for Exchange-accessible accounts, minimize externally exposed Exchange services, and review logs for suspicious OWA-originated proxy activity. These measures are mitigations only and do not replace vendor patching.

Remediation

Patch, then assume compromise.

Apply Microsoft’s security updates for CVE-2022-41080 on affected on-premises Exchange Server versions. Supporting content indicates affected versions included Exchange Server 2013 CU23, Exchange Server 2016 CU22 and CU23, and Exchange Server 2019 CU11 and CU12. Microsoft shipped a patch for this vulnerability and assessed exploitation as more likely. Organizations should ensure Exchange is updated to a build containing the fix and remove reliance on temporary workarounds once patching is complete, consistent with Microsoft guidance for patched Exchange systems.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExchange Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

microsoft security blogNews

Apr 6, 2026

Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | Microsoft Security Blog

An on-premises Microsoft Exchange vulnerability, part of the OWASSRF exploit chain, used by Storm-1175 to gain initial access by exposing Exchange PowerShell via OWA.

viettel cyber security blogNews

Dec 26, 2022

The OWASSRF + TabShell exploit chain

An authenticated SSRF vulnerability in Microsoft Exchange OWA that can proxy attacker-controlled requests to backend Exchange endpoints such as /mapi/nspi and /powershell using the victim's authenticated context.

the hacker newsNews

Nov 9, 2022

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

A Microsoft Exchange Server privilege escalation vulnerability rated Critical in the referenced Patch Tuesday set.

bleeping computerNews

Nov 8, 2022

Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws

Critical elevation of privilege vulnerability in Microsoft Exchange Server.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-41080

NVD

nvd.nist.gov/vuln/detail/CVE-2022-41080

MITRE CWE · CWE-918

cwe.mitre.org

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41080