- Shadowserver Foundation announced that vulnerable Exchange server instances decreased from 85,000 to 60,000 within a month.
- ProxyNotShell exploits affect Exchange Server 2013, 2016, and 2019 and allow attackers to escalate privileges.
- Microsoft patched the vulnerabilities in the November update but there are still thousands of instances using the vulnerable version.
Nonprofit cybersecurity organization, Shadowserver Foundation announced that they found thousands of Microsoft Exchange servers exposed online that are not patched against the CVE-2022-41082 remote code execution vulnerability. While the number of vulnerable Exchange servers is decreasing slowly, there are still more than 60,000 instances vulnerable to ProxyNotShell attacks on the 2nd of January.
We are reporting out Microsoft Exchange servers still likely vulnerable to CVE-2022-41082 #ProxyNotShell. Nearly 70K IPs found without MS patches applied (based on version info). Previously recommended mitigation techniques can be bypassed by attackershttps://t.co/ApcM9HwiOK pic.twitter.com/dGA0LvEAbG
— Shadowserver (@Shadowserver) December 26, 2022
ProxyNotShell exploits
ProxyNotShell exploits are a combination of two vulnerabilities, tracked as CVE-2022-41082 and CVE-2022-41040. It affects Exchange Server 2013, 2016, and 2019 and allows attackers to escalate privileges to gain arbitrary or remote code execution. Although Microsoft addressed these vulnerabilities with a patch released in November 2022, hacker groups are still actively looking for vulnerable targets.