KB5019758: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (October 2022)

Two-bug chain allowing an authenticated Exchange user to achieve remote code execution. Apply KB5019758 — exploited in the wild before a patch was available, used by state actors to deploy Chopper web shells.

Published Oct 11, 2022 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An authenticated Exchange user (including a low-privileged mailbox) can execute arbitrary code on the Exchange server as SYSTEM, read all mailboxes, install web shells, and move laterally. The initial authentication requirement is easily met through phishing or credential stuffing. State actors used this to deploy China Chopper web shells across government Exchange servers.

How the attack worksNo clicks needed

CVE-2022-41040 is a server-side request forgery (SSRF) that lets an authenticated Exchange user trigger CVE-2022-41082, a PowerShell Remote Code Execution vulnerability. The attacker needs any valid Exchange mailbox — a single compromised user account is sufficient. This is distinct from ProxyShell which required no authentication.

Am I affected?Quick check

Probably yes if any of these apply:

●Exchange Administrators

●Mail Administrators

●IT Security

●Running Exchange Server 2013, 2016, 2019 — all builds prior to October 2022 SU

Affected OS versions

Windows Server 2012 R2Windows Server 2016Windows Server 2019

Fixed inKB5019758 (October 2022 Security Update)

Real-world incidentsWhat we've seen

GTSC, a Vietnamese security company, reported active exploitation in August 2022. Microsoft acknowledged the vulnerability on September 29, 2022, and began an accelerated patch process. ProxyNotShell was exploited by MERCURY (a.k.a. MuddyWater), an Iran-affiliated threat actor, to target on-premises Exchange servers before the October patch was available.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5019758

Manual remediation steps

⏱ 2 hours including service restart

Check Installed Exchange Version

Get-Command ExSetup | ForEach { $_.FileVersionInfo }
# Vulnerable if Exchange 2019 < 15.2.1118.12, Exchange 2016 < 15.1.2507.13

Interim Mitigation (before patching)

# Block the SSRF path via URL Rewrite rule (requires IIS URL Rewrite module)
# Run in Exchange Management Shell:
$filter = "system.webServer/rewrite/rules"
$siteName = "Default Web Site"
Add-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST/$siteName" `
  -Filter $filter -Name "." -Value @{
    name = 'Block-ProxyNotShell'
    patternSyntax = 'ECMAScript'
    stopProcessing = 'true'
  }
# NOTE: This is a temporary mitigation — apply the patch as soon as possible

Apply KB5019758

Download the October 2022 Security Update from https://aka.ms/exchangeupdates

Apply from elevated PowerShell:

.\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /mode:Upgrade

Verify

Get-Command ExSetup | ForEach { $_.FileVersionInfo }

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-41040 ↗ MSRC Advisory ↗ NVD ↗ KBKB5019758

CVEs in this update2 fixes · Patch-to-CVE mapping

Patch ID	CVE ID	Vulnerability Name / Type	CVSS	Reference
KB5019758	CVE-2022-41040	See NVD	8.8	NVD ↗
KB5019758	CVE-2022-41082	See NVD	8.8	NVD ↗