In late September 2022 Microsoft released information relating to 2 previously unknown zero-day vulnerabilities collectively known as “ProxyNotShell” affecting Microsoft Exchange. These vulnerabilities were noted by security researchers to be actively exploited in the wild. The two vulnerabilities (CVE-2022-41040 and CVE-2022-41082) are known to impact Microsoft Exchange Server 2013, 2016, and 2019. ProxyNotShell, according to Microsoft, is two vulnerabilities with “… the first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.” Microsoft does note that successful exploitation does require authentication to trigger either vulnerability.
ProxyNotShell Hunt Packages
Owing to the fact that the vulnerabilities associated with ProxyNotShell are being actively exploited in the wild, Cyborg Security has released several hunt packages to the community in order to detect behaviors known to be associated with the attack. Sign up for a free Community HUNTER Account to get exclusive access to these hunt packages today!