Microsoft Exchange - Remote Code Execution (ProxyNotShell - CVE-2022-41040, CVE-2022-41082) (CVE-2022-41040, CVE-2022-41082)

Microsoft Exchange server is vulnerable to CVE-2022-41082, a Remote Code Execution vulnerability which can be triggered by an authenticated attacker remotely by using CVE-2022-41040, a Server-Side Request Forgery vulnerability, affecting the Autodiscover endpoint. This chain of vulnerabilities is better known as ProxyNotShell. The root cause of ProxyNotShell is the insufficient checks on the URL, this allows attackers to pass Autodiscover/Autodiscover.json to the Email field which leads to arbitrary access to the backend services with administrative privileges.

The risk exists that a remote authenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.

Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040