Proxynotshell

Vulnerability updated 4 months ago (2024-05-04T17:40:01.141Z)

Download STIX

Preview STIX

ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint to exploit another related vulnerability, CVE-2022-41040. These vulnerabilities were part of a series of security issues with Microsoft Exchange Server that have been problematic since 2021, including ProxyLogon and ProxyShell. However, a new exploit method known as OWASSRF has emerged, which bypasses mitigations previously provided by Microsoft for ProxyNotShell. Unlike ProxyNotShell, OWASSRF uses the OWA frontend endpoint to exploit yet another vulnerability, CVE-2022-41080. This development showcases the evolving capabilities of threat actors who continue to augment their toolbox with new tools and exploits, including ProxyNotShell, OWASSRF, and a remote code execution vulnerability in Microsoft Exchange Server. The Play group, a cyber threat actor, often gains initial access to victim networks by abusing valid accounts and exploiting public-facing applications. They have been known to exploit vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082). Notably, the ProxyNotShell vulnerability cannot be easily patched, similar to other highly exploitable vulnerabilities like Log4j. Thus, it remains a significant concern in the cybersecurity landscape.

Description last updated: 2024-05-04T16:28:31.720Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
CVE-2022-41082	7	CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
CVE-2022-41040	6	CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
CVE-2022-41080	4	CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
Owassrf	4	OWASSRF is a software vulnerability that presents a significant security risk to Microsoft Exchange Server systems. It's an exploit method that bypasses ProxyNotShell vulnerability mitigations, allowing for remote code execution on vulnerable servers through Outlook Web Access. This vulnerability ha
Proxyshell	3	ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447
Proxylogon	2	ProxyLogon is a significant software vulnerability, specifically a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. Identified as CVE-2021-26855, it forms part of the ProxyLogon exploit chain and allows attackers to bypass authentication mechanisms and impersonate users

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Vulnerability

Exploits

Ransomware

Fortios

Zero Day

Microsoft

Remote Code ...

Log4j

RCE (Remote ...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2020-12812	Unspecified	2	None
CVE-2018-13379	Unspecified	2	CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
Follina	Unspecified	2	Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2023-32031	Unspecified	2	CVE-2023-32031 is a significant software vulnerability discovered in Microsoft's Exchange server. The flaw lies within the software's design or implementation and allows for remote code execution. This vulnerability could enable authenticated attackers on the Exchange server to execute malicious cod
CVE-2023-28310	Unspecified	2	None

Source Document References

Information about the Proxynotshell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Emerging Threat: What to Know About the Play Ransomware Group
CERT-EU	8 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	a year ago	Florian Roth, Author at Nextron Systems
CERT-EU	9 months ago	The ticking time bomb of Microsoft Exchange Server 2013
BankInfoSecurity	9 months ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
Malwarebytes	9 months ago	FBI issues advisory over Play ransomware \| Malwarebytes
CERT-EU	9 months ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
CERT-EU	9 months ago	Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CrowdStrike	10 months ago	October 2023 Patch Tuesday: Updates and Analysis
CrowdStrike	10 months ago	Patch Tuesday Turns 20: The Impact of Microsoft’s Vulnerability Problem
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
Checkpoint	2 years ago	26th December – Threat Intelligence Report – Check Point Research
CERT-EU	a year ago	Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU	a year ago	The attack via Progress MOVEit Transfer
CERT-EU	a year ago	Associated Wholesale Grocers Cyberattack Allegedly Claimed By Play Ransomware Group
Unit42	2 years ago	Threat Brief: OWASSRF Vulnerability Exploitation
CERT-EU	a year ago	CISA Sounds Alarm on Critical Infrastructure Devices Vulnerable to Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	CrowdStrike Report Highlights Crucial Shift In Ransomware Tactics \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware
Krebs on Security	a year ago	Microsoft Patch Tuesday, June 2023 Edition
Securelist	2 years ago	CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange