Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations

Recent Play ransomware attacks targeting Exchange servers were observed using a new exploit chain that bypasses Microsoft’s ProxyNotShell mitigations.

Recent Play ransomware attacks targeting Exchange servers were observed using a new exploit chain that bypasses Microsoft’s ProxyNotShell mitigations.

Similar to the old ProxyShell vulnerability, ProxyNotShell consists of two security defects in Exchange Server: CVE-2022-41040, a server-side request forgery (SSRF) bug with a CVSS score of 8.8; and CVE-2022-41082, a remote code execution (RCE) flaw with a CVSS score of 8.0.

The two vulnerabilities were initially reported in September, when they were already being exploited in attacks. Microsoft addressed these bugs as part of its November 2022 Patch Tuesday security updates.

The ProxyNotShell exploit chain targets CVE-2022-41040 to access the Autodiscover endpoint and reach the Exchange backend for arbitrary URLs, after which CVE-2022-41082 is exploited to execute arbitrary code. In response, Microsoft deployed a series of URL rewrite mitigations for the Autodiscover endpoint.

The recently observed Play ransomware attacks, however, gain initial access by means of a new exploit chain – which CrowdStrike has named OWASSRF – that involves a SSRF equivalent to the Autodiscover technique and the exploit used in the second step of ProxyNotShell.

OWASSRF provides attackers with access to the PowerShell remoting service through the Outlook Web Application (OWA) instead of Autodiscover. The attack likely exploits CVE-2022-41080, a high-severity privilege escalation flaw impacting Exchange Server 2016 and 2019, the cybersecurity firm says.

CVE-2022-41080 was resolved on November 8 alongside ProxyNotShell vulnerabilities and another privilege escalation flaw, tracked as CVE-2022-41123, which is described as a DLL hijacking bug.

“CVE-2022-41080, has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022-41040 used in the ProxyNotShell exploit chain, and it has been marked ‘exploitation more likely’. Based on these findings, CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022-41080,” CrowdStrike says.

Organizations are advised to apply Microsoft’s November 2022 patches as soon as possible, to mitigate ProxyNotShell and other exploited vulnerabilities, to disable remote PowerShell for non-administrative users, and to deploy endpoint detection and response (EDR) tools that can detect potential exploitation attempts.

Related: Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hacker Group

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.