Monday, December 23, 2024
HomeCyber Security NewsOver 60,000 Online Exchange Servers Unpatched for RCE Vulnerability ProxyNotShell

Over 60,000 Online Exchange Servers Unpatched for RCE Vulnerability ProxyNotShell

Published on

SIEM as a Service

One of the two security flaws targeted by ProxyNotShell exploits, CVE-2022-41082 RCE vulnerability, has not been patched on more than 60,000 Microsoft Exchange servers, as a result, they are exposed online.

Another flaw that is in question has been tracked as CVE-2022-41080. A series of targeted attacks were employed by threat actors to exploit the ProxyNotShell zero-day vulnerabilities first disclosed in September.

It has been reported that almost 70,000 Microsoft Exchange servers are at risk of proxyNotShell attacks, in accordance with a recent tweet from security researchers at the Shadowserver Foundation.

- Advertisement - SIEM as a Service

As of recent data, 60,865 Exchange servers were detected as vulnerable on January 2nd, and this count is a decreased figure which is fallen from 83,946 in mid-December.

Vulnerable Exchange Versions

As a collective term, ProxyNotShell is the combination of these two security bugs. Apart from this, it has been found that these flaws affect the Exchange Server:-

  • 2013
  • 2016
  • 2019

The x_owa_version header was the basis for the experts’ assessment. Listed below are the Exchange versions that are vulnerable to these flaws (CVE-2022-41080/CVE-2022-41082):-

2019

  • 15.2.1118.15 – 15.2.1118.7 <– strict match of all 4 numbers required
  • 15.2.986.30 – 15.2.986.5 <– strict match of all 4 numbers required
  • 15.2.922.27 – 15.2.196.0 (anything less than or equal to 15.2.922 ) 

^^^ looser match of the first 3 numbers is required

2016

  • 15.1.2507.13 – 15.1.2507.6 <– strict match of all 4 numbers required
  • 15.1.2375.32 – 15.1.2375.7 <– strict match of all 4 numbers required
  • 15.1.2308.27 – 15.1.225.16 (anything less than or equal to 15.1.2308) 

^^^ looser match of the first 3 numbers is required

2013

  • 15.0.1497.31 – 15.0.1497.2 <– strict match of all 4 numbers required
  • 15.0.1473.6 – 15.0.516.32 (anything less than or equal to 15.0.1473)

^^^ looser match of the first 3 numbers is required

Attackers can use this vulnerability to escalate privileges on compromised servers, and they can also end up being able to execute arbitrary code remotely.

Recommendation

During the November 2022 Patch Tuesday, Microsoft released security updates that addressed the flaws in order to resolve them. During the month of September, GreyNoise, a company providing threat intelligence, has been closely monitoring the ongoing exploitation of ProxyNotShell.

As a security precaution, it is recommended that you apply the ProxyNotShell security patches from Microsoft released in November. This will ensure that your Exchange servers remain protected from incoming attacks.

A mitigation plan was also provided by the company, but attackers can circumvent those measures. In short, the only servers that are secure from compromise are those that are fully patched.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

PentestGPT – A ChatGPT Powered Automated Penetration Testing Tool

GBHackers come across a new ChatGPT-powered Penetration testing Tool called "PentestGPT" that helps penetration...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...