This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 79%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Per Exchange Health Checker version 24.03.12.1700 this is my Exchange version.
Build Number: 15.02.1258.032
Exchange IU or Security Hotfix Detected: Security Update for Exchange Server 2019 Cumulative Update 13 (KB5036402)
We always run one CU behind the latest, and we pay for external vulnerability scans. So when CU12 went end of life we upgraded to CU13, and then our SOC began telling us that our Microsoft Exchange Server OWA has (KB5019758, ProxyNotShell) CVE-2022-41040: Server-Side Request Forgery (SSRF) and CVE-2022-41082: Remote code execution (RCE) vulnerabilities.
So I do my own external vulnerability scan using NMAP and the following scripts, which too claim the server is vulnerable.
https://github.com/Diverto/nse-exchange CVE-2022-1040_checker
https://github.com/Diverto/nse-exchange http-vuln-cve2022-41082.nse
Yet, we were, and are, patched to the point that these vulnerabilities should not exist. Also the Exchange Heath Checker Script should tell me if we're vulnerable, yet it does not. Even the EOMTv2.ps1 script used to make URL rewrite rules to mitigate this attack in the first place now says: VERBOSE: Checking if EOMTv2 is up to date with https://aka.ms/EOMTv2-VersionsUri VERBOSE: Starting EOMTv2.ps1 version 23.11.21.1852 on MAIL VERBOSE: EOMTv2 preCheck complete on MAIL NOTICE: CVE-2022-41040 vulnerability has been fixed for the Exchange build running on this computer - mitigation will not be applied.
So here's the question(s)/assumption; When Microsoft released CU13 and the SU's to fix those CVE's, and we went from CU12 to CU13, wiping away those URL rewrite kludges, was my SOC, and those NMAP scripts, now supposed to be fooled into thinking the Exchange server has this vulnerability?
Is there an external vulnerability scan I can try, other than what I already have, that I can be sure is telling me the truth?
I always go by what the Exchange Health Checker says. Not sure what that external scanning is going by honestly. BTW, if you are on CU13, you are really two builds behind. Hopefully you have Extended Protection Enabled!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 91%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Just wanted to check if the answer shared below helped. If it helped, then would request you to please "Accept the answer" as it would be helpful to others in the community as well.