Proxynotshell

Vulnerability updated 7 months ago (2024-05-04T17:40:01.141Z)

Download STIX

Preview STIX

ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint to exploit another related vulnerability, CVE-2022-41040. These vulnerabilities were part of a series of security issues with Microsoft Exchange Server that have been problematic since 2021, including ProxyLogon and ProxyShell. However, a new exploit method known as OWASSRF has emerged, which bypasses mitigations previously provided by Microsoft for ProxyNotShell. Unlike ProxyNotShell, OWASSRF uses the OWA frontend endpoint to exploit yet another vulnerability, CVE-2022-41080. This development showcases the evolving capabilities of threat actors who continue to augment their toolbox with new tools and exploits, including ProxyNotShell, OWASSRF, and a remote code execution vulnerability in Microsoft Exchange Server. The Play group, a cyber threat actor, often gains initial access to victim networks by abusing valid accounts and exploiting public-facing applications. They have been known to exploit vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082). Notably, the ProxyNotShell vulnerability cannot be easily patched, similar to other highly exploitable vulnerabilities like Log4j. Thus, it remains a significant concern in the cybersecurity landscape.

Description last updated: 2024-05-04T16:28:31.720Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CVE-2022-41082 is a possible alias for Proxynotshell. CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack	7
CVE-2022-41040 is a possible alias for Proxynotshell. CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism	6
CVE-2022-41080 is a possible alias for Proxynotshell. CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute	4
Owassrf is a possible alias for Proxynotshell. OWASSRF is a software vulnerability that presents a significant security risk to Microsoft Exchange Server systems. It's an exploit method that bypasses ProxyNotShell vulnerability mitigations, allowing for remote code execution on vulnerable servers through Outlook Web Access. This vulnerability ha	4
Proxyshell is a possible alias for Proxynotshell. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	3
Proxylogon is a possible alias for Proxynotshell. ProxyLogon is a significant software vulnerability that was discovered in Microsoft Exchange Server. It is part of an exploit chain, including CVE-2021-26855, which is a server-side request forgery (SSRF) vulnerability. This flaw allows attackers to bypass authentication mechanisms and impersonate u	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Vulnerability

Exploits

Ransomware

Fortios

Zero Day

Microsoft

Remote Code ...

Log4j

RCE (Remote ...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2020-12812 is associated with Proxynotshell.	Unspecified	2
The CVE-2018-13379 Vulnerability is associated with Proxynotshell. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20	Unspecified	2
The Follina Vulnerability is associated with Proxynotshell. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,	Unspecified	2
The CVE-2023-32031 Vulnerability is associated with Proxynotshell. CVE-2023-32031 is a significant software vulnerability discovered in Microsoft's Exchange server. The flaw lies within the software's design or implementation and allows for remote code execution. This vulnerability could enable authenticated attackers on the Exchange server to execute malicious cod	Unspecified	2
The vulnerability CVE-2023-28310 is associated with Proxynotshell.	Unspecified	2

Source Document References

Information about the Proxynotshell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Emerging Threat: What to Know About the Play Ransomware Group
CERT-EU	10 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	a year ago	Florian Roth, Author at Nextron Systems
CERT-EU	a year ago	The ticking time bomb of Microsoft Exchange Server 2013
BankInfoSecurity	a year ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
Malwarebytes	a year ago	FBI issues advisory over Play ransomware \| Malwarebytes
CERT-EU	a year ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
CERT-EU	a year ago	Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CrowdStrike	a year ago	October 2023 Patch Tuesday: Updates and Analysis
CrowdStrike	a year ago	Patch Tuesday Turns 20: The Impact of Microsoft’s Vulnerability Problem
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
Checkpoint	2 years ago	26th December – Threat Intelligence Report – Check Point Research
CERT-EU	a year ago	Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU	a year ago	The attack via Progress MOVEit Transfer
CERT-EU	a year ago	Associated Wholesale Grocers Cyberattack Allegedly Claimed By Play Ransomware Group
Unit42	2 years ago	Threat Brief: OWASSRF Vulnerability Exploitation
CERT-EU	a year ago	CISA Sounds Alarm on Critical Infrastructure Devices Vulnerable to Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	2 years ago	CrowdStrike Report Highlights Crucial Shift In Ransomware Tactics \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware
Krebs on Security	a year ago	Microsoft Patch Tuesday, June 2023 Edition
Securelist	2 years ago	CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange