Microsoft Exchange - Remote Code Execution (ProxyNotShell - CVE-2022-41040, CVE-2022-41082) (CVE-2022-41040, CVE-2022-41082)
- Severity
- CVSSv3 Score
- 8.8
- Vulnerability description
Microsoft Exchange server is vulnerable to CVE-2022-41082, a Remote Code Execution vulnerability which can be triggered by an authenticated attacker remotely by using CVE-2022-41040, a Server-Side Request Forgery vulnerability, affecting the Autodiscover endpoint. This chain of vulnerabilities is better known as ProxyNotShell. The root cause of ProxyNotShell is the insufficient checks on the URL, this allows attackers to pass
Autodiscover/Autodiscover.json
to the Email field which leads to arbitrary access to the backend services with administrative privileges.- Risk description
The risk exists that a remote authenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.
- Recommendation
Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.
- References
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040
- Codename
- ProxyNotShell
- Detectable with
- Network Scanner
- Exploitable with Sniper
- No
- Vuln date
- Sep 2022
- Published at
- Updated at
- Software Type
- Email server
- Vendor
- Microsoft
- Product
- Exchange Server