Skip to main content

CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell

Download With Dependencies

This pack handles Microsoft Exchange SSRF CVE-2022-41040 & RCE CVE-2022-41082 vulnerabilities, aka ProxyNotShell, a 0-day exploits in Microsoft Exchange Servers

This pack is part of the Rapid Breach Response pack.

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

This playbook includes the following tasks:

  • Collect detection rules, indicators and mitigation tools.
  • Exploitation patterns hunting using Cortex XDR - XQL Engine.
  • Exploitation patterns hunting using 3rd party SIEM products.
  • Indicators hunting.
  • Provides Microsoft mitigation and detection capabilities.

More information:

Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)

References:

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER

ProxyNotShell— the story of the claimed zero days in Microsoft Exchange

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedOctober 2, 2022
Last ReleaseOctober 26, 2022
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.