Last year, two high severity, easily exploitable Microsoft Exchange vulnerabilities dubbed ProxyLogon and ProxyShell made waves in the infosec sphere. Nearly a year later, Exchange Server admins are met with another threat: ProxyNotShell, which in fact is a vulnerability chain comprising two actively exploited flaws:
CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability that an authenticated attacker can exploit for privilege escalation. This vulnerability occurs because the root cause of ProxyShell’s path confusion flaw remains, as explained further below.
CVE-2022-41082 is a deserialization flaw that can be abused to achieve remote code execution (RCE) in Exchange’s PowerShell backend once it becomes accessible to the attacker.
Both vulnerabilities impact Microsoft Exchange Server on-premises and hybrid setups running Exchange versions 2013, 2016, and 2019 with an internet-exposed Outlook Web App (OWA) component.