NAVANEM
CVE-2022-41082⚡ exploited in the wild

Microsoft Exchange Server, PowerShell remoting deserialisation RCE (ProxyNotShell #2)

Microsoft Exchange Server Remote Code Execution Vulnerability.

Overview

CVE-2022-41082 is a critical remote code execution vulnerability in Microsoft Exchange Server caused by unsafe deserialization in the PowerShell remoting endpoint. This vulnerability represents the second half of the "ProxyNotShell" exploit chain, working in conjunction with CVE-2022-41040 (an SSRF vulnerability) to enable authenticated remote attackers to execute arbitrary code with SYSTEM privileges on vulnerable Exchange servers.

Technical Details

The vulnerability exists in Exchange Server's PowerShell remoting endpoint, where improper deserialization of user-supplied data allows an authenticated user to execute arbitrary code. While direct exploitation requires access to the PowerShell remoting interface, the companion vulnerability CVE-2022-41040 provides an SSRF bypass that allows any authenticated mailbox user to reach this endpoint remotely.

The ProxyNotShell attack chain works as follows:

  1. An attacker with valid mailbox credentials uses CVE-2022-41040 to access the PowerShell remoting endpoint via SSRF
  2. The attacker then exploits CVE-2022-41082's deserialization flaw to execute arbitrary code as SYSTEM

The vulnerability was initially disclosed by GTSC security researchers in August-September 2022. Microsoft initially released mitigations in October 2022, but these workarounds were subsequently bypassed. A complete patch was released during the November 2022 Patch Tuesday update cycle.

Impact

Successful exploitation of this vulnerability in combination with CVE-2022-41040 allows an attacker with any valid mailbox credentials to achieve remote code execution with SYSTEM privileges on the Exchange server. This represents a complete compromise of the affected server, potentially enabling:

  • Full control over email communications
  • Lateral movement within the network
  • Data exfiltration
  • Deployment of ransomware or other malware
  • Persistence mechanisms for long-term access

Mitigation

  • Apply the November 2022 Exchange Server Cumulative Update immediately
  • Restrict external access to Outlook Web Access (OWA) where possible
  • Consider migration to Exchange Online to reduce on-premises attack surface
  • Implement network segmentation to limit Exchange server exposure
  • Ensure multi-factor authentication is enabled for all mailbox accounts

Detection

  • Hunt for published Indicators of Compromise (IOCs) associated with ProxyNotShell exploitation
  • Monitor PowerShell remoting activity on Exchange servers for anomalous behavior
  • Review IIS logs for suspicious requests targeting the autodiscover endpoint
  • Implement endpoint detection solutions capable of identifying deserialization attacks