Platform updates

Detect ProxyShell (pre-auth Microsoft Exchange RCE) with

Updated at
Article tags

On-prem Microsoft Exchange servers have created a lot of work for IT and security specialists in the past months.

In March, ProxyLogon left servers vulnerable to Server-Side Request Forgery through CVE-2021-26855, so we launched a dedicated scanner for it.

In May, #proxynotfound popped up, so we integrated detection for it into our Network Vulnerability Scanner to make detection and reporting faster.

Now bad actors are racing to exploit ProxyShell, an attack chain that exploits three CVEs to get Remote Code Execution on the target host:

Web and Application 0-day researcher Orange Tsai presented ProxyShell at Black Hat US 2021 and, once public, the technical details attracted ethical hackers and malicious ones alike.

DEF CON 29 - Orange Tsai - ProxyLogon Just Tip of the Iceberg, New Attack Surface on Exchange Server

As often happens with these vulnerabilities and the attack chains that increase their negative impact, a flurry followed. Pentesters and defenders are rushing to detect, report, and patch vulnerable targets while cybercriminals focus on installing web shells and gaining persistence.

Detect the ProxyShell attack chain with

If your scans with our Network Vulnerability Scanner reveal vulnerable targets, you get a ready-to-go report that’s pre-filled with risk descriptions and recommendations.

Here’s what the sample report looks like:

proxyshell finding example report

And here’s a preview of the recommendations section:

Applying the latest Microsoft patch for the Exchange Server fixes this vulnerability.

If the affected server was exposed to the Internet, we recommend looking for indicators of compromise (IoCs), as there is a high probability malicious actors have already compromised it.

Scan your targets in minutes

Exploitation interest remains high and an estimated 13.000 Exchange servers are still vulnerable, according to the latest data:

proxyshell – short summary and vulnscan-results #dfir #proxyshell

— ZeroBSGmbH (@zeroB_S) August 11, 2021


Later edit [Aug 12, 2021]

The news cycle may have gotten over ProxyShell, but bad actors definitely haven’t.

More than 18% of Exchange servers remain unpatched for the ProxyShell vulnerability. Nearly 40% are vulnerable to CVE-2021-31206

— Shodan (@shodanhq) August 11, 2021

It doesn’t make things easier for defenders that exploiting ProxyShell doesn’t require any credentials and can be triggered on port 443, which is used by Exchange’s Client Access Service (CAS). However, it does make it really appealing and handy for malicious attackers.

A reminder on the business value of on-prem Microsoft Exchange servers: company email servers hold business secrets, confidential conversations, and attachments, and pretty much are the lifeblood of organizations.

A motivated cybercriminal knows how to take advantage of access to the server to monetize it in many ways (extortion, data exfiltration, and selling, recon for subsequent attacks, stepping stone for a supply chain attack, Business Email Compromise, etc.).

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account


© 2013-2024 has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn! has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.