CVE-2022-41040

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanisms previously targeted during the ProxyLogon and ProxyShell campaigns in 2021. In this instance, an authenticated variation called ProxyNotShell was used, demonstrating a significant evolution of threat actor techniques. The Cortex XSOAR playbook, titled "CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell," was updated to address these new threats. It incorporated additional hunting, remediation, and mitigation tasks to identify and respond to exploitation attempts effectively. This update represented a proactive approach to managing the risks associated with these vulnerabilities, providing organizations with the tools needed to detect and respond to potential attacks leveraging these flaws. However, despite these mitigation efforts, threat actors found ways to bypass ProxyNotShell mitigations. They used an alternative exploitation vector that abused another vulnerability, CVE-2022-41080, to achieve their objectives. As highlighted in the report, ransomware-affiliated actors were able to exploit this vulnerability, showing the persistent and evolving nature of these cyber threats. This underscores the need for continuous monitoring, updating, and refining of security measures to combat such dynamic threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxynotshell
6
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Proxylogon
1
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Exploit
Vulnerability
Cloudflare
Moveit
Zero Day
China
Chromium
Proxy
Ransomware
exploitation
Blizzard
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
1
LockBit is a significant malware operation, first surfacing in September 2019 and becoming one of the most active ransomware groups by 2022. Operating under a Ransomware-as-a-Service (RaaS) model, LockBit recruited affiliates to execute attacks using its tools and infrastructure. From its first obse
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, among other names, is a threat actor suspected to originate from China. With potential ties to the Chinese government, APT41 has been involved in complex cyber espionage operations since at least 2012, targeting organizations in at least
Unc3886Unspecified
1
UNC3886 is a threat actor with suspected links to Beijing, China, that has been active in the cyber-espionage landscape. A threat actor refers to any human entity behind the execution of actions with malicious intent, which can range from an individual hacker to a private company or even part of a g
Cadet BlizzardUnspecified
1
Cadet Blizzard, a new Advanced Persistent Threat (APT) group linked to Russia's GRU military intelligence unit, has been identified by Microsoft researchers. Active since at least 2020, the group has seen some recent success in its operations. Cadet Blizzard has reportedly received support from at l
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxyshellUnspecified
3
ProxyShell is a chain of three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that affect Microsoft Exchange email servers. These vulnerabilities allow unauthenticated attackers to gain administrator access and execute remote code on unpatched servers. Discovered in
CVE-2022-41082Unspecified
3
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
CVE-2018-13379Unspecified
2
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
Proxynotshell Cve-2022-41040Unspecified
2
None
Proxyshell Cve-2021-34473Unspecified
1
ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) is a set of three chained vulnerabilities that perform unauthenticated remote code execution (RCE) in Microsoft Exchange. Identified as a significant flaw in software design or implementation, it allows unauthorized users to execute arbitra
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2022-41328Unspecified
1
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in Septem
CVE-2021-44207Unspecified
1
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
CVE-2022-41080Unspecified
1
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
FollinaUnspecified
1
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Proxynotshell CveUnspecified
1
None
OwassrfUnspecified
1
OWASSRF is a software vulnerability that presents a significant security risk to Microsoft Exchange Server systems. It's an exploit method that bypasses ProxyNotShell vulnerability mitigations, allowing for remote code execution on vulnerable servers through Outlook Web Access. This vulnerability ha
CVE-2021-34473Unspecified
1
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
Source Document References
Information about the CVE-2022-41040 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CISA
6 months ago
#StopRansomware: Play Ransomware | CISA
CrowdStrike
8 months ago
Patch Tuesday Turns 20: The Impact of Microsoft’s Vulnerability Problem
Unit42
a year ago
Threat Brief: OWASSRF Vulnerability Exploitation
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in May 2023
CERT-EU
10 months ago
Unmasking the top exploited vulnerabilities of 2022 – GIXtools
DARKReading
10 months ago
'Play' Ransomware Group Targeting MSPs Worldwide in New Campaign
BankInfoSecurity
6 months ago
Breach Roundup: MongoDB Blames Phishing Email for Breach
CERT-EU
4 months ago
Sensor Intel Series: Top CVEs in December 2023
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in February 2023 | F5 Labs
CSO Online
a year ago
CISA kicks off ransomware vulnerability pilot to help spot ransomware-exploitable flaws
CERT-EU
9 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
Securelist
a year ago
CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in April 2023 | F5 Labs
CERT-EU
a year ago
View the latest outbreak alerts on cyber-attacks | FortiGuard Labs
CERT-EU
6 months ago
Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
Unit42
a year ago
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
CERT-EU
7 months ago
Sensor Intel Series: Top CVEs in October 2023
Securityaffairs
a year ago
In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues
CERT-EU
a year ago
New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
CERT-EU
a year ago
The attack via Progress MOVEit Transfer