Patch ProxyNotShell vulnerability now: Still many vulnerable Exchange servers in Germany
by Tina Siering
We first reported on the Microsoft Exchange security vulnerabilities CVE-2022-41082 and CVE-2022-41040, known as ProxyNotShell, in September 2022 and successively updated our article afterwards. The issue made headlines for several weeks, not least because Microsoft took a good four weeks to publish the first security patches. Admins had to bridge the dangerous transition period with workarounds to protect themselves.
Both vulnerabilities were already initially classified as extremely critical, and as a result there were significant attacks on the affected servers (MS Exchange Server 2019, 2016 and 2013).
A new peak in vulnerability became known at the end of December 2022: Attackers actively exploited a new exploit to compromise systems using the "Play" extortion Trojan (CVE-2022-41080). This combined a new vulnerability with an already known vulnerability. Despite this further intensification of the threat situation, it is now known that more than 60,000 online-accessible Microsoft Exchange servers worldwide have still not been patched against the known security vulnerabilities - around 10,000 of them in Germany alone. Security researchers from the Shadowserver Foundation found this out and published it on Twitter.
We recommend IT security managers to apply the security update provided by Microsoft now in order to permanently close the possible security gaps.