Many Exchange servers still vulnerable to ProxyNotShell flaw

Approximately 60,000 IP addresses with internet-facing Exchange Server instances are still vulnerable to ProxyNotShell flaw CVE-2022-41082, according to cybersecurity nonprofit Shadowserver Foundation.

ProxyNotShell refers to a pair of Exchange Server zero-day vulnerabilities first disclosed in September that were chained together by threat actors in a series of targeted attacks. One flaw, CVE-2022-41040, is a server-side request forgery flaw, and the other, CVE-2022-41082, is a remote code execution bug. The name ProxyNotShell is a reference to ProxyShell, a now-infamous series of flaws disclosed in 2021.

Microsoft did not patch ProxyNotShell until its November Patch Tuesday release. Until then, the company urged customers to mitigate the vulnerabilities by applying URL Rewrite instructions for the Autodiscover endpoint at the center of the exploit chain.

However, CrowdStrike published a blog post last month revealing that a new exploit chain, referred to as “OWASSRF,” bypassed Microsoft’s URL Rewrite mitigations. OWASSRF combines ProxyNotShell bug CVE-2022-41082 with elevation of privilege flaw CVE-2022-41080, and it has been used in several Play ransomware attacks in recent weeks.

CrowdStrike urged organizations to apply the November Patch Tuesday fix, which addresses the new chain. OWASSRF is considered particularly dangerous because it affects organizations that applied mitigations under the impression that patching ProxyNotShell was not necessary. CrowdStrike and Rapid7 have both observed an increase in Exchange Server compromises where OWASSRF was the suspected cause.

Shadowserver, a cybersecurity nonprofit dedicated to data collection and analysis, has been scanning for IP addresses with instances of Microsoft Exchange Server that are likely vulnerable to CVE-2022-41082. On Dec. 21, the day after CrowdStrike’s research went live, Shadowserver found 83,946 vulnerable IP addresses. As of Jan. 2, that number dropped to 60,865.

A chart from Shadowserver showing the number of IP addresses with Exchange Server instances that are likely vulnerable to CVE-2022-41082.
As of Jan. 2, approximately 60,865 instances of Microsoft Exchange Server remained vulnerable to the OWASSRF exploit chain.

Shadowserver CEO Piotr Kijewski told TechTarget Editorial that compared with other recent Exchange Server security…