Blocking Exchange CVE-2022-41040 Attacks via HAProxy

If you’re using Microsoft Exchange on-premise and you want to protect your setup against the recent CVE-2022-41040 and CVE-2022-41082 zero-day vulnerabilities, you can follow Microsoft’s instructions to set up a rewrite rule in IIS.

If your Exchange setup is behind HAProxy, you can also block the requests at the proxy level. This is especially useful in case you are using Windows Server Core and/or don’t have the IIS Management GUI available to follow Microsoft’s instructions.

I’ve added the following lines to my HAProxy config to block the malicious requests:

acl block-url url_reg -i ^.*autodiscover\.json.*powershell.*$
http-request deny if block-url

I briefly tested this by opening the URL https://<example.com>/autodiscover/autodiscover.json?@evil.com/powershell&Email=autodiscover/autodiscover.json%3f@evil.com and it is blocked correctly with a 403 from HAProxy.

Use this at your own risk. I recommend to still follow the official mitigation instructions whenever possible.

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.