Nearly 70K Unpatched Exchange Servers Are Sitting Ducks For ProxyNotShell Exploit
We reported on ProxyNotShell back in October of 2022 and Microsoft provided some mitigation options that were rapidly overcome by the bad actors. The exploit, labeled as CVE-2022-41082, is a method in which an attacker can form malicious server requests which the server will handle and through this create arbitrary and remote code executions. This in turn would allow an attacker to gain administrative rights and access to the entire exchange server implementation. The attack vector itself seems to be through Outlook Web Access. A pre-existing user must exist before being able to exploit the vulnerability, however the level of access for that user does not seem to matter.
According to non-profit security research organization, ShadowServer, it ran scans indicating that more than 70,000 public facing IP addresses with Exchange deployed responded back with version numbers lower than that of the November 2022 Patch which resolves the issue. While this is much lower than the number of unpatched server before the release, it does mean there's still a pretty hefty quantity of servers that are vulnerable.
We are reporting out Microsoft Exchange servers still likely vulnerable to CVE-2022-41082 #ProxyNotShell. Nearly 70K IPs found without MS patches applied (based on version info). Previously recommended mitigation techniques can be bypassed by attackershttps://t.co/ApcM9HwiOK pic.twitter.com/dGA0LvEAbG
— Shadowserver (@Shadowserver) December 26, 2022