Home Platform updates Detect ProxyShell (pre-auth Microsoft Exchange RCE) with Pentest-Tools.com

Detect ProxyShell (pre-auth Microsoft Exchange RCE) with Pentest-Tools.com

by Andra Zaharia

Reading time

2 minutes

Reading Time: 2 minutes

On-prem Microsoft Exchange servers have created a lot of work for IT and security specialists in the past months.

In March, ProxyLogon left servers vulnerable to Server-Side Request Forgery through CVE-2021-26855, so we launched a dedicated scanner for it.

In May, #proxynotfound popped up, so we integrated detection for it into our Network Vulnerability Scanner to make detection and reporting faster.

Now bad actors are racing to exploit ProxyShell, an attack chain that exploits three CVEs to get Remote Code Execution on the target host:

Web and Application 0-day researcher Orange Tsai presented ProxyShell at Black Hat US 2021 and, once public, the technical details attracted ethical hackers and malicious ones alike.

As it often happens with these vulnerabilities and the attack chains that increase their negative impact, a flurry followed. Pentesters and defenders are rushing to detect, report, and patch vulnerable targets while cybercriminals focus on installing webshells and gaining persistence.

Detect the ProxyShell attack chain with Pentest-Tools.com

If your scans with our Network Vulnerability Scanner reveal vulnerable targets, you get a ready-to-go report that’s pre-filled with risk description and recommendations.

Here’s what the sample report looks like:

proxyshell finding example pentest-tools.com report

And here’s a preview of the recommendations section:

Applying the latest Microsoft patch for the Exchange Server fixes this vulnerability.

If the affected server was exposed to the Internet, we recommend looking for indicators of compromise (IoCs), as there is a high probability malicious actors have already compromised it.

Scan your targets in minutes

Find exposed servers

Exploitation interest remains high and an estimated 13.000 Exchange servers are still vulnerable, according to the latest data:

Later edit [Aug 12, 2021] The news cycle may have gotten over ProxyShell, but bad actors definitely haven’t:

It doesn’t make things easier for defenders that exploiting ProxyShell doesn’t require any credentials and can be triggered on port 443, which is used by Exchange’s Client Access Service (CAS). However, it does make it really appealing and handy for malicious attackers.

A reminder on the business value of on-prem Microsoft Exchange servers: company email servers hold business secrets, confidential conversations and attachments, and pretty much are the lifeblood of organizations.

A motivated cybercriminal knows how to take advantage of access to the server to monetize it in many ways (extortion, data exfiltration and selling, recon for subsequent attacks, stepping stone for a supply chain attack, Business Email Compromise, etc.).

Detect Proxyshell

Find exposed servers

Related Posts

November 2021 updates on Pentest-Tools.com

November updates for powerful workflows, including detection for Log4Shell

Pentest-Tools.com September platform updates 2021

Detect & exploit the latest CVEs + more automation updates



Subscribe to our Platform Updates

Please select how you would like to hear from Pentest-Tools.com:

Unsubscribe any time by clicking the link in the footer of our emails.
For information about our privacy practices, please visit https://pentest-tools.com/.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing.
Learn more about Mailchimp's privacy practices here.

View previous campaigns.