Skip to Content

Shadowserver: More than 60,000 Exchange Servers Still Vulnerable to ProxyNotShell (CVE-2022-41040 and CVE-2022-41082)

By: Author Alex Lim

Posted on Last updated:

Home > Shadowserver: More than 60,000 Exchange Servers Still Vulnerable to ProxyNotShell (CVE-2022-41040 and CVE-2022-41082)

Updated on 2023-01-03: Shadowserver: More than 60,000 Exchange Servers Still Vulnerable to ProxyNotShell

According to data gathered by the Shadowserver Foundation, more than 60,000 Microsoft Exchange servers remain unpatched against a known remote code execution vulnerability (CVE-2022-41082) that is exploited by ProxyNotShell. Microsoft released fixes to address that flaw and a second vulnerability that is also exploited by ProxyNotShell, in November 2022. The flaws affect Exchange Server 2013, 2016, and 2019.

Note

  • The work of keeping your in-house exchange services secure shows no sign of dropping off. In 2023, I’d be hard pressed to argue there are not hosted alternative email solutions which are viable and secure. Take a look at in-sourced services and make sure that you’re not replicating commodity or commonly available services which are taking resources away from achievement of mission objectives.
  • While the reporting is troubling that such a large number of servers remain unpatched, I can’t say it is surprising. The EternalBlue exploit has been in the wild for five years, yet servers still remain vulnerable. Bottom line: if it’s a remote code execution vulnerability, it’s a must to elevate its priority in patching.

Read more in

Updated on 2022-12-22: CVE-2022-41040 and CVE-2022-41082

Kaspersky has a report out on two Microsoft Exchange zero-days known as ProxyNotShell. Read more: CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Updated on 2022-10-11: Microsoft’s October Patch Tuesday Does Not Include Fix for ProxyNotShell Vulnerability

Microsoft’s October Patch Tuesday updates include fixes for two zero-day vulnerabilities and a critical privilege elevation and remote code execution flaw in Azure that received a CVSS rating of 10.0. One of the zero-days, a privilege elevation vulnerability in the Windows COM+ Event System Service, is being actively exploited. Notably, the released does not include fixes for the pair of Exchange Server vulnerabilities known as ProxyNotShell. In all, the October update includes fixes for 85 CVEs.

Note

  • One would hope that the Exchange patch would have been included. At least Microsoft has added an RSS feed to their Security Update Guide to facilitate tracking this particular issue (see story below). As to the monthly update, most of the flaws there are elevation of privilege bugs. Don’t forget to look to your Adobe security feeds as well. They just released updates to address 29 vulnerabilities in Acrobat and Reader, Commerce, Magento, and Cold Fusion
  • Not a routine fix. Likely to be distributed out of cycle when ready.

Read more in

Updated on 2022-10-08: Microsoft Updates Exchange Server Mitigations Again

On October 8, Microsoft updated its suggested mitigations for two zero-day vulnerabilities in Exchange Server. The updated recommendations include a revised blocking rule in IIS Manager. The two vulnerabilities, which are collectively known as ProxyNotShell, can be chained to allow remote code execution.

Note

  • Let’s hope we will get a patch for this vulnerability today. Filtering malicious requests will always be a whack the mole game between defenders coming up with better rules and attackers finding bypasses as long as the actual vulnerability isn’t fixed.
  • The update to the instructions changes the blocking rule in IIS Manager from .*autodiscover\.json *Powershell.* to (?=.*autodiscover\.json)(?=.*powershell). It’s likely going to be easier to use the updated EOMTv2 PowerShell script and avoid transcription errors. There are still no patches; you will need to continue active monitoring for attempted exploits.
  • For those that are concerned if there servers have been compromised the Microsoft Safety Scanner is a tool that can quickly scan for any malicious software and is available to download for free from learn.microsoft.com: Microsoft Safety Scanner Download

Read more in

Updated on 2022-10-07: Microsoft warns of “ProxyNotShell” vulnerabilities in Exchange Server

Microsoft warned of two Exchange Server vulnerabilities collectively referred to as “ProxyNotShell” that had been actively exploited in the wild. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. Read more:

Updated on 2022-10-06: Microsoft Releases Updated Mitigations for Exchange Server Flaws

Microsoft has updated its Customer Guidance for Reported Zero-day Vulnerabilities in Exchange Server; Microsoft’s initial mitigations were found to be insufficient. The flaws, which are together being called ProxyNotShell, were disclosed in September. Microsoft has not said when it expects to have a fix available.

Note

  • Keep an eye on the Microsoft guidance below. It has been revised at least three times. If you’re using the Microsoft provided scripts, such as EOMTv2, you need to grab the updated versions and run them again. Given that there is no patch yet, you really need to verify the path forward for on-premises Exchange servers, with an eye to getting out of that business.

Read more in

Updated on 2022-10-05: Microsoft confirms exploitation of two Exchange Server zero-days

Well it wouldn’t be a week in security without a zero day drop. This week it’s two Microsoft Exchange flaws — one an SSRF and the other an RCE — that allow attackers to deploy backdoors and move laterally through a victim’s network. The bugs were discovered by Vietnamese outfit GTSC and confirmed by Microsoft a few hours later. But no immediate fix for on-premise server owners just yet. Since there’s no fix, you might want to look at some remediation advice.

Read more:

Updated on 2022-10-05: Exchange zero-days

After a report from Vietnamese security firm GTSC, Microsoft formally confirmed the existence of two new Exchange zero-days on Friday. The OS maker released mitigations, assigned CVE-2022-41040 and CVE-2022-41082 to the two vulnerabilities but did not provide a timeline for any security patches yet. Read more:

Updated on 2022-10-03

There’s a new Exchange zero-day, and it’s being used in active attacks. It’s actually two vulns: one an SSRF, and another an RCE. The company that found the issues, GTSC, has linked the exploits and the attacks to China. Read more:

Updated on 2022-10-03: Researchers Say Microsoft’s Mitigations for Exchange Server Zero-Days are Not Robust Enough; Microsoft is Developing Fixes on an “Accelerated Timeline”

Last week, Microsoft released mitigations to help protect users from attacks exploiting a pair of vulnerabilities in Exchange Server. The flaws are being actively exploited, and can be chained to attain remote code execution. Researchers now say that those mitigations can easily be bypassed. Actual patches for the vulnerabilities are not yet available; Microsoft says it is working on an “accelerated timeline” to make fixes available. On Sunday, October 2, Microsoft added this to the mitigation suggestions: “we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization.“ [Ed: CISA has added the Exchange Server flaws to its Known Exploited Vulnerabilities catalog.]

Note

  • This vulnerability is a good example for the need of robust detection engineering to cover post exploit activity. Rules to detect rogue DLLs or webshells will go a long way to detect activity well beyond Exchange flaws.
  • The trick is to focus on where you can raise the bar until a patch is released. Allowing Powershell execution only from users who need it is a good first step. These attacks require account takeover. As such, make sure accounts, especially administrative ones, use MFA and are only allowed to connect from authorized devices/services. Employ separation of duties, require administrative accounts not be end user accounts, then monitor their use.

Read more in

Updated on 2022-09-30

Zero-day remote code execution vulnerabilities in Microsoft Exchange servers are being actively exploited, according to researchers from GTSC. The flaws can be chained to deploy web shells on vulnerable servers. The GTSC researchers notified Microsoft of the vulnerabilities three weeks ago via the Zero Day Initiative, which has given them identifiers: ZDI-CAN-18333 and ZDI-CAN-18802.

Note

  • Right now, information about this issue is still not complete. But there is a high probability that a new Microsoft Exchange flaw has been abused in the wild to compromise Exchange and install web shells. You should still double check that your Exchange servers are patched, and make sure you have detection rules in place to pick up any post exploit activity.
  • The Microsoft guidance for this vulnerability (first link below) two vulnerabilities CVE-2022-41040 is a server side request forgery and CVE-2022-41082 is a RCE flaw which is exploited using power shell. Both flaws require authenticated access and only apply to your on-premises exchange environment. There is not currently a patch so you need to implement the mitigations which include augmenting URL rewrite configuration for your autodiscover service to block known attack patterns and blocking HTTP/HTTPS ports 5895 and 5896. Better still migrate off your on-premises exchange servers.

Read more in

Updated on 2022-09-29

Microsoft confirmed two new zero-day vulnerabilities impacting Exchange Server 2013, 2016, and 2019. The two unpatched flaws, which are already being exploited in the wild, can allow attackers to achieve remote access to affected systems. Read more: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

Overview

Vietnamese security firm GTSC said it identified attacks using a new Microsoft Exchange email server zero-day in ongoing attacks. GTSC said they reported the issue to Microsoft via the ZDI program. Details about the zero-day are available in the company’s blog post. RBN understands that this zero-day has been abused by an APT actor against local companies. Read more: WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.