HomePentest-Tools.com Logo

Microsoft Exchange - Remote Code Execution (ProxyNotShell - CVE-2022-41040, CVE-2022-41082) (CVE-2022-41040, CVE-2022-41082)

Severity
CVSSv3 Score
8.8
Vulnerability description

Microsoft Exchange server is vulnerable to CVE-2022-41082, a Remote Code Execution vulnerability which can be triggered by an authenticated attacker remotely by using CVE-2022-41040, a Server-Side Request Forgery vulnerability, affecting the Autodiscover endpoint. This chain of vulnerabilities is better known as ProxyNotShell. The root cause of ProxyNotShell is the insufficient checks on the URL, this allows attackers to pass Autodiscover/Autodiscover.json to the Email field which leads to arbitrary access to the backend services with administrative privileges.

Risk description

The risk exists that a remote authenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.

Recommendation

Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.

Codename
ProxyNotShell
Detectable with
Network Scanner
Exploitable with Sniper
No
Vuln date
Sep 2022
Published at
Updated at
Software Type
Email server
Vendor
Microsoft
Product
Exchange Server