NAVANEM
CVE-2022-41040⚡ exploited in the wild

Microsoft Exchange Server, SSRF (ProxyNotShell #1)

Microsoft Exchange Server Elevation of Privilege Vulnerability.

Overview

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability affecting Microsoft Exchange Server's autodiscover and Outlook Web Access (OWA) endpoints. This vulnerability allows an authenticated attacker to craft malicious requests that Exchange Server forwards to internal endpoints with elevated privileges. When chained with CVE-2022-41082 (a PowerShell deserialization Remote Code Execution vulnerability), the combination-dubbed ProxyNotShell-enables authenticated remote code execution on vulnerable Exchange servers.

Technical Details

The vulnerability exists in Exchange's autodiscover and OWA components. An authenticated attacker can exploit the SSRF flaw to make Exchange Server issue requests to internal endpoints that would normally be inaccessible. The attack chain works as follows:

  1. The attacker authenticates to Exchange (valid credentials required)
  2. CVE-2022-41040 (SSRF) is exploited to access internal Exchange endpoints
  3. CVE-2022-41082 (deserialization RCE in PowerShell backend) is triggered through the SSRF
  4. The attacker achieves code execution with Exchange Server privileges

This vulnerability follows a pattern of Exchange authentication bypass and privilege escalation bugs including ProxyLogon, ProxyShell, and ProxyToken from previous years.

Impact

Successful exploitation of ProxyNotShell grants attackers significant access:

  • Complete mailbox access: Read, modify, or exfiltrate email content from all users
  • Credential theft: Capture Active Directory credentials of users connecting to OWA
  • Internal phishing: Send malicious emails from legitimate internal addresses
  • Lateral movement: Use Exchange's privileged position in the network for further attacks

GTSC (a Vietnamese security firm) disclosed in-the-wild exploitation in August 2022, initially attributed to a China-linked threat actor. Following public disclosure, ransomware affiliates adopted the exploit chain. Microsoft released patches in the November 2022 Patch Tuesday after initial URL rewrite workarounds proved insufficient.

Mitigation

  1. Apply patches: Update on-premises Exchange to the November 2022 cumulative update or later
  2. Migration: Consider migrating to Exchange Online (Microsoft 365), which is unaffected
  3. Network restrictions: Restrict OWA/EWS access to authenticated users only; block external access where business requirements permit
  4. Reduce attack surface: Disable unnecessary Exchange services exposed to the internet

Detection

  • Review IIS logs for suspicious autodiscover requests containing path traversal patterns matching GTSC's published indicators
  • Monitor for unusual PowerShell execution on Exchange servers
  • Alert on unexpected outbound connections from Exchange to internal endpoints
  • Implement endpoint detection rules for known ProxyNotShell exploitation patterns