The RCE security flaw, which was targeted by exploits has been unpatched on over 60,000 Microsoft Exchange servers. They are therefore exposed online.
Another flaw has been identified as . Threat actors used a series of targeted attacks to exploit ProxyNotShell’s zero-day vulnerabilities, first revealed in September.
According to a tweet by security researchers from the Shadowserver Foundation, it has been reported that nearly 70,000 Microsoft Exchange servers could be at risk from proxyNotShell attacks.
According to recent data, 60% of have been identified as being vulnerable since January 2, and that number is down from the 83,946 recorded in December.
Vulnerable Versions
ProxyNotShell, as a group term, is the result of these security flaws. These flaws also affect Exchange Server.
- 2013
- 2016
- 2019
Experts’ assessments were based on the x_owa_version header. Listed below are the Exchange versions that are vulnerable to these flaws (CVE-2022-41080/CVE-2022-41082):-
2019
- 15.2.1118.15-15 15.2.1118.7
- 15.2.986.30 to 15.2.986.5
- 15.2.922.27- 15.2.196.0
A looser match between the first three numbers is necessary
2016
- 15.1.2507.13 to 15.1.2507.6
- 15.1.2375.32 to 15.1.2375.7
- 15.1.2308.27- 15.1.225.16
A looser match between the first three numbers is necessary
2013
- 15.0.1497.31- 15.0.1497.2- exact match of all four numbers
- 15.0.1473.6 to 15.0.516.32
A looser match between the first three numbers is necessary
This vulnerability can be used by attackers to increase privileges on servers compromised. They can also use it to remotely execute code.
Recommendation
Microsoft issued security updates during the Patch Tuesday in November 2022 to address the vulnerabilities. GreyNoise has closely monitored the ongoing exploit of ProxyNotShell throughout September.
It is recommended to apply ProxyNotShell Security Patches from Microsoft, which were released in November. It will protect your Exchange servers from any incoming attack.
The company also offered a mitigation plan, however attackers could easily circumvent it. The only way to protect servers from being compromised is by having them fully patched.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.
