Test Against the Newest Microsoft Exchange Vulnerability: ProxyNotShell

Throughout the year, we saw both nation-state and financially motivated attackers focused on finding and exploiting new on-premises MS Exchange vulnerabilities. The most successful exploits found were ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 used by many attackers. This included attacks in March of this year, where The DFIR Report disclosed that Iranian nation-state actors were exploiting MS Exchange Proxy Shell vulnerabilities to gain initial access and execute code via multiple web shells. By September, attackers were still having success taking advantage of MS Exchange ProxyShell vulnerabilities and were being used by Chinese nation-state actors, among many others.

The Rise of ProxyNotShell  

A Vietnamese cybersecurity firm GTSC released a blog post, noting a new on-premises MS Exchange zero-day, exploited vulnerability CVE-2022-41082, that when combined with another CVE-2022-41040, could lead to remote code executable attacks. It is particularly important to note that at the time of the writing of this blog post, Microsoft does not have any patches released to fix these vulnerabilities and suggests adding a blocking rule as a mitigation measure. Other researchers pointed out that Microsoft’s proposed blocking rule was too specific and could easily be bypassed, suggesting a more significant, less specific alternative, designed to cover a broader set of attacks. Checking the Shodan Report, we find that over 205,247 on-premises MS Exchange servers that are vulnerable to the ProxyNotShell attack can be Internet reached. 

For Cymulate Customers and Prospects 

To help the industry defend itself, our Cymulate Research Lab team did a terrific article for The Hacker News, which I highly recommend as a must-read and should be helpful for all who still run on-premises MS Exchange. To further protect our customers and partners, the Cymulate Research Lab team has also developed a custom-made assessment for ProxyNotShell for the Cymulate solution that enables organizations to estimate exactly their degree of exposure within their enterprise. It has also been added as an attack vector to the advanced scenarios portion of the solution as well. The article describes it well and it has already been updated within the solution. Cymulate customers only need to log in to their consoles and test. For prospects, we will be more than happy to offer a demo to allow you to quickly check your enterprises as well. 

Final Takeaways 

The most effective way to discover, assess, and reduce risk is through continuous security validation. If your organization still relies on on-premises Microsoft Exchange, now is a good time to evaluate whether transitioning to a more secure, managed cloud instance aligns with your long-term security strategy. While there are no silver bullets in cybersecurity, cloud-based options are often the safer and more resilient choice for many enterprises.