Executive Summary

ShadowServer, a nonprofit security organisation, has identified that more than 60,000 Microsoft Exchange on-premises servers exposed online are yet to be patched against the CVE-2022-41082 remote code execution (RCE) vulnerability and CVE-2022-41040 Server-Side Request Forgery (SSFR) vulnerability, previously described in our advisory of 3rd October 2022. The two exploits are known collectively as “ProxyNotShell” and require authentication with the exchange server. This means an attacker would need to already have standard user working credentials.

What’s the risk to me or my business?

Successful exploitation of these vulnerabilities would grant an attacker the ability to remotely execute code on the underlying server, allowing them to perform reconnaissance on the environment and exfiltration of data off the network. Microsoft Exchange Online users are not affected by these vulnerabilities.

What can I do?

Microsoft strongly recommends applying the Exchange Server updates for CVE-2022-41040 and CVE-2022-41082. The previous mitigations given by Microsoft are no longer recommended.

Further information on the two vulnerabilities can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040 & https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082

Microsoft Customer guidance can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

ShadowServer Vulnerability Report: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity