IRONSMITHINTEL
CRITICALCVSS8.8
|
Actively Exploited
|CISA KEV|CVE-2022-41040|Auth: low — authenticated exchange user required|Reboot: service restart|Est. 2 hours including service restart|Manual only

KB5019758: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (October 2022)

Two-bug chain allowing an authenticated Exchange user to achieve remote code execution. Apply KB5019758 — exploited in the wild before a patch was available, used by state actors to deploy Chopper web shells.

Published Oct 11, 2022 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An authenticated Exchange user (including a low-privileged mailbox) can execute arbitrary code on the Exchange server as SYSTEM, read all mailboxes, install web shells, and move laterally. The initial authentication requirement is easily met through phishing or credential stuffing. State actors used this to deploy China Chopper web shells across government Exchange servers.

How the attack worksNo clicks needed

CVE-2022-41040 is a server-side request forgery (SSRF) that lets an authenticated Exchange user trigger CVE-2022-41082, a PowerShell Remote Code Execution vulnerability. The attacker needs any valid Exchange mailbox — a single compromised user account is sufficient. This is distinct from ProxyShell which required no authentication.

Am I affected?Quick check

Probably yes if any of these apply:

On-premises Microsoft Exchange Servers
Servers with PowerShell Remoting exposed
Exchange 2013/2016/2019 servers
Running Exchange Server 2013, 2016, 2019 — all builds prior to October 2022 SU

Affected OS versions

Windows Server 2012 R2Windows Server 2016Windows Server 2019
Fixed inKB5019758 (applies to 5 product versions) — build 15.00.1497.044, 15.01.2375.037+
Real-world incidentsWhat we've seen

GTSC, a Vietnamese security company, reported active exploitation in August 2022. Microsoft acknowledged the vulnerability on September 29, 2022, and began an accelerated patch process. ProxyNotShell was exploited by MERCURY (a.k.a. MuddyWater), an Iran-affiliated threat actor, to target on-premises Exchange servers before the October patch was available.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5019758

Manual remediation steps

2 hours including service restart

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Update

    1
    KB5019758 — https://support.microsoft.com/help/5019758

Supersedes: KB5019076, KB5019077

Affected Products

    1
    Microsoft Exchange Server 2013 Cumulative Update 23
    1
    Microsoft Exchange Server 2016 Cumulative Update 22
    1
    Microsoft Exchange Server 2016 Cumulative Update 23
    1
    Microsoft Exchange Server 2019 Cumulative Update 11
    1
    Microsoft Exchange Server 2019 Cumulative Update 12

Fixed Build Numbers

    1
    15.00.1497.044
    1
    15.01.2375.037
    1
    15.01.2507.016
    1
    15.02.0986.036
    1
    15.02.1118.020

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted — a reboot IS required to complete the install

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB5019758
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB5019758 for the affected products in your update management console.

Microsoft Download Center Links

    1
    https://www.microsoft.com/download/details.aspx?familyid=09804a62-d5b7-4e38-9902-010326747aef
    1
    https://www.microsoft.com/download/details.aspx?familyid=124eeb2b-4066-459e-9416-ee98683f4997
    1
    https://www.microsoft.com/download/details.aspx?familyid=4342d7ed-0583-4d2c-831c-836ee8f7bf62
    1
    https://www.microsoft.com/download/details.aspx?familyid=bbba5ecc-0ab5-466c-98bb-766c46a78fc2
    1
    https://www.microsoft.com/download/details.aspx?familyid=ddb4f351-5cb6-4ce4-93c1-ec6946f7c26a

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB5019758') }

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
    1
    KB article: https://support.microsoft.com/help/5019758
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2022-41040
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040

Discovery Credit

DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC working with Trend Micro Zero Day Initiative

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2022-41040MSRC AdvisoryNVDKBKB5019758
CVEs in this update2 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5019758CVE-2022-41040See NVD8.8NVD ↗
KB5019758CVE-2022-41082See NVD8.8NVD ↗

Related vulnerabilities

CRITICAL9.8

KB5000871: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (March 2021)

Microsoft Exchange Server

CVE-2021-26855

CRITICAL9.8

KB5001779: Windows Server 2016 / 2019 Security Update (August 2021)

Microsoft Exchange Server

CVE-2021-34473

MEDIUM6.5

KB5002741: Windows Server Security Update (July 2025)

Microsoft SharePoint

CVE-2025-49706