CVE-2022-41040

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanisms previously targeted during the ProxyLogon and ProxyShell campaigns in 2021. In this instance, an authenticated variation called ProxyNotShell was used, demonstrating a significant evolution of threat actor techniques. The Cortex XSOAR playbook, titled "CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell," was updated to address these new threats. It incorporated additional hunting, remediation, and mitigation tasks to identify and respond to exploitation attempts effectively. This update represented a proactive approach to managing the risks associated with these vulnerabilities, providing organizations with the tools needed to detect and respond to potential attacks leveraging these flaws. However, despite these mitigation efforts, threat actors found ways to bypass ProxyNotShell mitigations. They used an alternative exploitation vector that abused another vulnerability, CVE-2022-41080, to achieve their objectives. As highlighted in the report, ransomware-affiliated actors were able to exploit this vulnerability, showing the persistent and evolving nature of these cyber threats. This underscores the need for continuous monitoring, updating, and refining of security measures to combat such dynamic threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxynotshell
6
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Proxylogon
1
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Microsoft
Moveit
Zero Day
China
Chromium
Proxy
Ransomware
exploitation
Blizzard
Vulnerability
Cloudflare
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Unc3886Unspecified
1
UNC3886 is a threat actor with suspected links to China, known for its cyber espionage operations targeting global strategic organizations. Since 2021, this advanced persistent threat (APT) group has been exploiting a VMware zero-day vulnerability, identified as CVE-2023-34048. The cybersecurity ind
Cadet BlizzardUnspecified
1
Cadet Blizzard, a threat actor group associated with Russia's GRU military intelligence unit, has been identified by Microsoft as the perpetrator of destructive cyber attacks in Ukraine using wiper malware. The group has been active since at least 2020 and has recently gained some success, according
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-41082Unspecified
3
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
ProxyshellUnspecified
3
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
Proxynotshell Cve-2022-41040Unspecified
2
None
CVE-2018-13379Unspecified
2
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
Proxyshell Cve-2021-34473Unspecified
1
ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) is a set of three chained vulnerabilities that perform unauthenticated remote code execution (RCE) in Microsoft Exchange. Identified as a significant flaw in software design or implementation, it allows unauthorized users to execute arbitra
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2022-41328Unspecified
1
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in Septem
CVE-2021-44207Unspecified
1
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
CVE-2022-41080Unspecified
1
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
FollinaUnspecified
1
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Proxynotshell CveUnspecified
1
None
OwassrfUnspecified
1
OWASSRF is a software vulnerability that presents a significant security risk to Microsoft Exchange Server systems. It's an exploit method that bypasses ProxyNotShell vulnerability mitigations, allowing for remote code execution on vulnerable servers through Outlook Web Access. This vulnerability ha
CVE-2021-34473Unspecified
1
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
Source Document References
Information about the CVE-2022-41040 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Sensor Intel Series: Top CVEs in December 2023
BankInfoSecurity
7 months ago
Breach Roundup: MongoDB Blames Phishing Email for Breach
CISA
7 months ago
#StopRansomware: Play Ransomware | CISA
CERT-EU
7 months ago
Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
CERT-EU
8 months ago
Sensor Intel Series: Top CVEs in October 2023
CrowdStrike
9 months ago
Patch Tuesday Turns 20: The Impact of Microsoft’s Vulnerability Problem
CERT-EU
10 months ago
Sensor Intel Series: Top CVEs in August 2023 | F5 Labs
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
DARKReading
a year ago
'Play' Ransomware Group Targeting MSPs Worldwide in New Campaign
CERT-EU
a year ago
Unmasking the top exploited vulnerabilities of 2022 – GIXtools
Securityaffairs
a year ago
In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues
CERT-EU
a year ago
The attack via Progress MOVEit Transfer
CERT-EU
a year ago
View the latest outbreak alerts on cyber-attacks | FortiGuard Labs
Unit42
a year ago
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
CERT-EU
a year ago
Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in May 2023
CERT-EU
a year ago
New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
Unit42
a year ago
Threat Brief: OWASSRF Vulnerability Exploitation
Securelist
a year ago
CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
CSO Online
a year ago
CISA kicks off ransomware vulnerability pilot to help spot ransomware-exploitable flaws