CVE-2022-41040

Vulnerability updated 7 months ago (2024-05-04T19:55:54.196Z)

Download STIX

Preview STIX

CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanisms previously targeted during the ProxyLogon and ProxyShell campaigns in 2021. In this instance, an authenticated variation called ProxyNotShell was used, demonstrating a significant evolution of threat actor techniques. The Cortex XSOAR playbook, titled "CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell," was updated to address these new threats. It incorporated additional hunting, remediation, and mitigation tasks to identify and respond to exploitation attempts effectively. This update represented a proactive approach to managing the risks associated with these vulnerabilities, providing organizations with the tools needed to detect and respond to potential attacks leveraging these flaws. However, despite these mitigation efforts, threat actors found ways to bypass ProxyNotShell mitigations. They used an alternative exploitation vector that abused another vulnerability, CVE-2022-41080, to achieve their objectives. As highlighted in the report, ransomware-affiliated actors were able to exploit this vulnerability, showing the persistent and evolving nature of these cyber threats. This underscores the need for continuous monitoring, updating, and refining of security measures to combat such dynamic threats.

Description last updated: 2024-05-04T18:19:13.238Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Proxynotshell is a possible alias for CVE-2022-41040. ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t	6

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxyshell Vulnerability is associated with CVE-2022-41040. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	Unspecified	3
The CVE-2022-41082 Vulnerability is associated with CVE-2022-41040. CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack	Unspecified	3
The vulnerability Proxynotshell Cve-2022-41040 is associated with CVE-2022-41040.	Unspecified	2
The CVE-2018-13379 Vulnerability is associated with CVE-2022-41040. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20	Unspecified	2

Source Document References

Information about the CVE-2022-41040 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	10 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
CERT-EU	a year ago	Emerging Threat: What to Know About the Play Ransomware Group
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in December 2023
BankInfoSecurity	a year ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
CISA	a year ago	#StopRansomware: Play Ransomware \| CISA
CERT-EU	a year ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in October 2023
CrowdStrike	a year ago	Patch Tuesday Turns 20: The Impact of Microsoft’s Vulnerability Problem
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in August 2023 \| F5 Labs
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
DARKReading	a year ago	'Play' Ransomware Group Targeting MSPs Worldwide in New Campaign
CERT-EU	a year ago	Unmasking the top exploited vulnerabilities of 2022 – GIXtools
Securityaffairs	a year ago	In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues
CERT-EU	a year ago	The attack via Progress MOVEit Transfer
CERT-EU	a year ago	View the latest outbreak alerts on cyber-attacks \| FortiGuard Labs
Unit42	a year ago	Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in May 2023
CERT-EU	a year ago	New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
Unit42	2 years ago	Threat Brief: OWASSRF Vulnerability Exploitation