Thursday, February 6, 2025
HomeCyber Security NewsOver 60,000 Online Exchange Servers Unpatched for RCE Vulnerability ProxyNotShell

Over 60,000 Online Exchange Servers Unpatched for RCE Vulnerability ProxyNotShell

Published on

SIEM as a Service

Follow Us on Google News

One of the two security flaws targeted by ProxyNotShell exploits, CVE-2022-41082 RCE vulnerability, has not been patched on more than 60,000 Microsoft Exchange servers, as a result, they are exposed online.

Another flaw that is in question has been tracked as CVE-2022-41080. A series of targeted attacks were employed by threat actors to exploit the ProxyNotShell zero-day vulnerabilities first disclosed in September.

It has been reported that almost 70,000 Microsoft Exchange servers are at risk of proxyNotShell attacks, in accordance with a recent tweet from security researchers at the Shadowserver Foundation.

As of recent data, 60,865 Exchange servers were detected as vulnerable on January 2nd, and this count is a decreased figure which is fallen from 83,946 in mid-December.

Vulnerable Exchange Versions

As a collective term, ProxyNotShell is the combination of these two security bugs. Apart from this, it has been found that these flaws affect the Exchange Server:-

  • 2013
  • 2016
  • 2019

The x_owa_version header was the basis for the experts’ assessment. Listed below are the Exchange versions that are vulnerable to these flaws (CVE-2022-41080/CVE-2022-41082):-

2019

  • 15.2.1118.15 – 15.2.1118.7 <– strict match of all 4 numbers required
  • 15.2.986.30 – 15.2.986.5 <– strict match of all 4 numbers required
  • 15.2.922.27 – 15.2.196.0 (anything less than or equal to 15.2.922 ) 

^^^ looser match of the first 3 numbers is required

2016

  • 15.1.2507.13 – 15.1.2507.6 <– strict match of all 4 numbers required
  • 15.1.2375.32 – 15.1.2375.7 <– strict match of all 4 numbers required
  • 15.1.2308.27 – 15.1.225.16 (anything less than or equal to 15.1.2308) 

^^^ looser match of the first 3 numbers is required

2013

  • 15.0.1497.31 – 15.0.1497.2 <– strict match of all 4 numbers required
  • 15.0.1473.6 – 15.0.516.32 (anything less than or equal to 15.0.1473)

^^^ looser match of the first 3 numbers is required

Attackers can use this vulnerability to escalate privileges on compromised servers, and they can also end up being able to execute arbitrary code remotely.

Recommendation

During the November 2022 Patch Tuesday, Microsoft released security updates that addressed the flaws in order to resolve them. During the month of September, GreyNoise, a company providing threat intelligence, has been closely monitoring the ongoing exploitation of ProxyNotShell.

As a security precaution, it is recommended that you apply the ProxyNotShell security patches from Microsoft released in November. This will ensure that your Exchange servers remain protected from incoming attacks.

A mitigation plan was also provided by the company, but attackers can circumvent those measures. In short, the only servers that are secure from compromise are those that are fully patched.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Beware of Nova Stealer Malware Sold for $50 on Hacking Forums

The cybersecurity landscape faces a new challenge with the emergence of Nova Stealer, a...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...