Proxynotshell

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint to exploit another related vulnerability, CVE-2022-41040. These vulnerabilities were part of a series of security issues with Microsoft Exchange Server that have been problematic since 2021, including ProxyLogon and ProxyShell. However, a new exploit method known as OWASSRF has emerged, which bypasses mitigations previously provided by Microsoft for ProxyNotShell. Unlike ProxyNotShell, OWASSRF uses the OWA frontend endpoint to exploit yet another vulnerability, CVE-2022-41080. This development showcases the evolving capabilities of threat actors who continue to augment their toolbox with new tools and exploits, including ProxyNotShell, OWASSRF, and a remote code execution vulnerability in Microsoft Exchange Server. The Play group, a cyber threat actor, often gains initial access to victim networks by abusing valid accounts and exploiting public-facing applications. They have been known to exploit vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082). Notably, the ProxyNotShell vulnerability cannot be easily patched, similar to other highly exploitable vulnerabilities like Log4j. Thus, it remains a significant concern in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2022-41082
7
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
CVE-2022-41040
6
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
Owassrf
4
OWASSRF is a software vulnerability that presents a significant security risk to Microsoft Exchange Server systems. It's an exploit method that bypasses ProxyNotShell vulnerability mitigations, allowing for remote code execution on vulnerable servers through Outlook Web Access. This vulnerability ha
CVE-2022-41080
4
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
Proxyshell
3
ProxyShell is a chain of three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that affect Microsoft Exchange email servers. These vulnerabilities allow unauthenticated attackers to gain administrator access and execute remote code on unpatched servers. Discovered in
Proxylogon
2
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Exploits
Ransomware
Zero Day
Log4j
RCE (Remote ...
Microsoft
Fortios
Remote Code ...
CISA
Encryption
China
Moveit
Outlook
Malware
Proxy
Confluence
Webkit
Android
Mft
Sophos
Esxi
Kaspersky
Zero Day
exploited
State Sponso...
Chromium
Windows
Ios
Firefox
Manageengine
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NotPetyaUnspecified
1
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Unc3886Unspecified
1
UNC3886 is a threat actor believed to be linked with China and has been actively exploiting VMware zero-day vulnerabilities since 2021. This group, also known as an Advanced Persistent Threat (APT), has demonstrated sophisticated cyber-espionage capabilities, targeting global strategic organizations
HAFNIUMUnspecified
1
Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microso
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FollinaUnspecified
2
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2023-32031Unspecified
2
CVE-2023-32031 is a significant software vulnerability discovered in Microsoft's Exchange server. The flaw lies within the software's design or implementation and allows for remote code execution. This vulnerability could enable authenticated attackers on the Exchange server to execute malicious cod
CVE-2023-28310Unspecified
2
None
CVE-2020-12812Unspecified
2
None
CVE-2018-13379Unspecified
2
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
CVE-2022-47966Unspecified
1
CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of
CVE-2022-21882Unspecified
1
None
CVE-2022-22587Unspecified
1
None
CVE-2022-22620Unspecified
1
None
CVE-2021-39793Unspecified
1
None
CVE-2020-12271Unspecified
1
None
CVE-2022-1096Unspecified
1
None
CVE-2022-1364Unspecified
1
None
CVE-2021-36942Unspecified
1
None
CVE-2022-2856Unspecified
1
None
CVE-2021-38000Unspecified
1
None
CVE-2021-34473Unspecified
1
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
CVE-2022-41128Unspecified
1
None
CVE-2021-34480Unspecified
1
None
CVE-2022-41073Unspecified
1
None
CVE-2022-22706Unspecified
1
None
CVE-2021-28664Unspecified
1
None
CVE-2021-30551Unspecified
1
None
CVE-2021-21195Unspecified
1
None
CVE-2022-26925Unspecified
1
None
CVE-2022-30190Unspecified
1
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
CVE-2021-40444Unspecified
1
None
CVE-2022-26134Unspecified
1
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
CVE-2021-26084Unspecified
1
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2023-0669Unspecified
1
CVE-2023-0669 is a software vulnerability that originated in Fortra's GoAnywhere Managed File Transfer (MFT) tool, which is a secure file transfer solution. This flaw, a remote code execution (RCE) vulnerability, allows unauthorized users to execute arbitrary commands on the affected system. The Clo
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
CVE-2021-44207Unspecified
1
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2022-41328Unspecified
1
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in Septem
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
Proxynotshell Cve-2022-41040Unspecified
1
None
CVE-2021-26855Unspecified
1
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the t
CVE-2021-1732Unspecified
1
CVE-2021-1732 is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Windows 10 systems. This vulnerability exposes the system to an elevation of privilege threat, where an attacker could potentially gain higher-level permissions on the system and carry out m
CVE-2021-30983Unspecified
1
None
CVE-2022-26485Unspecified
1
None
CVE-2022-1040Unspecified
1
None
CVE-2023-21529Unspecified
1
None
CVE-2022-37987Unspecified
1
None
CVE-2022-42856Unspecified
1
CVE-2022-42856 is a critical zero-day vulnerability discovered in Apple's WebKit, the company's web rendering engine. This flaw, characterized as an iOS remote code execution vulnerability, posed a significant risk to users due to its potential exploitation in the wild, enabling unauthorized parties
Source Document References
Information about the Proxynotshell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
10 months ago
Florian Roth, Author at Nextron Systems
CERT-EU
7 months ago
The ticking time bomb of Microsoft Exchange Server 2013
BankInfoSecurity
7 months ago
Breach Roundup: MongoDB Blames Phishing Email for Breach
Malwarebytes
7 months ago
FBI issues advisory over Play ransomware | Malwarebytes
CERT-EU
7 months ago
Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
CERT-EU
7 months ago
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CrowdStrike
9 months ago
October 2023 Patch Tuesday: Updates and Analysis
CrowdStrike
9 months ago
Patch Tuesday Turns 20: The Impact of Microsoft’s Vulnerability Problem
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
Checkpoint
a year ago
26th December – Threat Intelligence Report – Check Point Research
CERT-EU
10 months ago
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU
a year ago
The attack via Progress MOVEit Transfer
CERT-EU
9 months ago
Associated Wholesale Grocers Cyberattack Allegedly Claimed By Play Ransomware Group
Unit42
a year ago
Threat Brief: OWASSRF Vulnerability Exploitation
CERT-EU
a year ago
CISA Sounds Alarm on Critical Infrastructure Devices Vulnerable to Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
CrowdStrike Report Highlights Crucial Shift In Ransomware Tactics | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware
Krebs on Security
a year ago
Microsoft Patch Tuesday, June 2023 Edition
Securelist
a year ago
CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
CERT-EU
a year ago
Ransomware vulnerability warning pilot yielding valuable lessons, CISA official says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting