CVE-2022-41040

Vulnerability updated 4 months ago (2024-05-04T19:55:54.196Z)

Download STIX

Preview STIX

CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanisms previously targeted during the ProxyLogon and ProxyShell campaigns in 2021. In this instance, an authenticated variation called ProxyNotShell was used, demonstrating a significant evolution of threat actor techniques. The Cortex XSOAR playbook, titled "CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell," was updated to address these new threats. It incorporated additional hunting, remediation, and mitigation tasks to identify and respond to exploitation attempts effectively. This update represented a proactive approach to managing the risks associated with these vulnerabilities, providing organizations with the tools needed to detect and respond to potential attacks leveraging these flaws. However, despite these mitigation efforts, threat actors found ways to bypass ProxyNotShell mitigations. They used an alternative exploitation vector that abused another vulnerability, CVE-2022-41080, to achieve their objectives. As highlighted in the report, ransomware-affiliated actors were able to exploit this vulnerability, showing the persistent and evolving nature of these cyber threats. This underscores the need for continuous monitoring, updating, and refining of security measures to combat such dynamic threats.

Description last updated: 2024-05-04T18:19:13.238Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Proxynotshell	6	ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
Proxyshell	Unspecified	3	ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447
CVE-2022-41082	Unspecified	3	CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
Proxynotshell Cve-2022-41040	Unspecified	2	None
CVE-2018-13379	Unspecified	2	CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20

Source Document References

Information about the CVE-2022-41040 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Emerging Threat: What to Know About the Play Ransomware Group
CERT-EU	7 months ago	Sensor Intel Series: Top CVEs in December 2023
BankInfoSecurity	9 months ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
CISA	9 months ago	#StopRansomware: Play Ransomware \| CISA
CERT-EU	9 months ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in October 2023
CrowdStrike	10 months ago	Patch Tuesday Turns 20: The Impact of Microsoft’s Vulnerability Problem
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in August 2023 \| F5 Labs
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
DARKReading	a year ago	'Play' Ransomware Group Targeting MSPs Worldwide in New Campaign
CERT-EU	a year ago	Unmasking the top exploited vulnerabilities of 2022 – GIXtools
Securityaffairs	a year ago	In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues
CERT-EU	a year ago	The attack via Progress MOVEit Transfer
CERT-EU	a year ago	View the latest outbreak alerts on cyber-attacks \| FortiGuard Labs
Unit42	a year ago	Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in May 2023
CERT-EU	a year ago	New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
Unit42	2 years ago	Threat Brief: OWASSRF Vulnerability Exploitation
Securelist	2 years ago	CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange