Picus Security Explains ProxyNotShell Vulnerabilities

Cybersecurity firm Picus Security has released a detailed analysis of the vulnerabilities referred to as ProxyNotShell. These two security flaws, CVE-2022-41040 and CVE-2022-41082, impacting Microsoft Exchange email servers, enable remote code execution and have been actively exploited by attackers.

The ProxyNotShell vulnerabilities are chained together to achieve exploitation, similar to the earlier ProxyShell issues. They affect even the latest versions of Exchange Server. The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF). It allows an authenticated attacker to trigger the second vulnerability, CVE-2022-41082, which in turn enables Remote Code Execution (RCE) if the attacker has PowerShell access.

Microsoft disclosed these vulnerabilities in September 2022 and released patches in November 2022. Picus Security has added new attack simulations for these vulnerabilities to its Threat Library to help organizations test and improve their defenses.

While ProxyShell vulnerabilities affected older Exchange versions and are still being exploited, the ProxyNotShell flaws highlight the ongoing risks to current systems. The active exploitation underscores the critical need for timely security updates and continuous monitoring of Exchange servers.