Latest Security Vulnerability of the Week Proxy Not Shell vulnerability – Special on Exchange Zero Day Vulnerability – Updates & Mitigations

proxynotshell proxy-not-shell vulnerability update exchange microsoft zeroday

Previous Issues of vulnerability Weekly

This week we focus on the zero-day release on the 29 with a detailed analysis of the attacks and results so far in mitigations.

Two new Microsoft Exchange zero-days exploited in the wild from Chinese ATP

On September 30th, two vulnerabilities were discovered in a large attack.

On September 29, a Vietnamese researcher warned the ATP was targeting exchange servers with RCE directly on the system.

As RCE is a category of devastating attacks as they allow an attacker to further deploy payloads and additional exploits. 

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.


Proxy no shell is from the researcher Kevin Beaumont named the vulnerabilities ProxyNotShell due to similarities to the Exchange vulnerability dubbed ProxyShell, which has been exploited in the wild for more than a year. Microsoft’s patches for ProxyShell do not completely remove an attack vector.

The researchers reported the security vulnerabilities to Microsoft three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

GTSC has released very few details regarding these zero-day bugs. Still, its researchers did reveal that the requests used in this exploit chain are similar to those used in attacks targeting the ProxyShell vulnerabilities.

The exploit works in two stages:

  1. Requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?<Exchange-backend-endpoint>&Email=autodiscover/
  2. The use of the link above to access a component in the backend where the RCE could be implemented.

“The version number of these Exchange servers showed that the latest update had already installed, so an exploitation using Proxyshell vulnerability was impossible,” the researchers said.

Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover.json.*@.*200’

For full malware analysis: 

Detail of the attack and chain

Diagram of the attacks using Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
Credit Microsoft

” MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.”

After the discovery two Zero day initiative vulnerabilities were recorded:

Microsoft issued the statement: 

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

Microsoft has recently published  




— exploits 

While details have not been made public for the vulnerabilities in order to prevent abuse, some individuals have been offering ProxyNotShell proof-of-concept (PoC) exploits that have turned out to be fake.

— Detection

Some members of the cybersecurity community have released open source tools that can be used to detect the presence of vulnerabilities.

One example is: 

Mitigation update

Important updates have been made to the Mitigations section improving the URL Rewrite rule. Customers should review the Mitigations section and apply one of these updated mitigation options:

  • Option 1: The EEMS rule is updated and is automatically applied.
  • Option 2: The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.
  • Option 3: The URL Rewrite rule instructions have been updated. The string in step 6 and step 9 has been revised. Steps 8, 9, and 10 have updated images.
  • Updated Detection section to refer to Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.

Online Exchange

Alert as highly exploitable (especially 41040). The current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns

On-premises exchange:

“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

  1. Open the IIS Manager.
  2. Expand the Default Web Site.
  3. Select Autodiscover.
  4. In the Feature View, click URL Rewrite.
  5. In the Actions pane on the right-hand side, click Add Rules.
  6. Select Request Blocking and click OK.
  7. Add String “.*autodiscover.json.*@.*Powershell.*” (excluding quotes) and click OK.
  8. Expand the rule and select the rule with the Pattern “.*autodiscover.json.*@.*Powershell.*” and click Edit under Conditions.
  9. Change the condition input from {URL} to {REQUEST_URI}

Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:

  • HTTP: 5985
  • HTTPS: 5986

On-premises exchange, follow the recommendations: 

Option 2: Microsoft created the following script for the URL Rewrite mitigation steps. 


Appsec Phoenix

Appsec Phoenix Early notification and detection system

We made available for all the users free and not the Alerting system to select the assets and vulnerability automatically to solve

Get access today to the community edition using the link below for free. If you need more assets to scan, we will be happy to help you and provide more licence for free during these challenging times

Post exploitation detection/IoC

Filenames linked to the post-exploitation (see below section for a full hunting suite section)

RedirSuiteServiceProxy.aspxC:ProgramFilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth
pxh4HG1v.ashxC:ProgramFilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth

Suspicious File

On the servers, we detected suspicious files of exe and dll formats

msado32.tlbC:Program FilesCommon Filessystemadomsado32.tlb

Microsoft Exchange Web attack Surface & Attack path

Currently, there are 318382 exchange servers exposed over the public web, all of them could potentially be a target for this new zero-day

At the time of the attack USA, Japan, and UK/Germany were the targets of ATP coming from China.

Target focus of attacks on 30/9/22 for Microsoft exchange zero-day

Detection of compromise Hunting Queries:

Currently, Microsoft has released a full detailed GitHub repository to detect compromises

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts could be related to this thread:

Indicators of attackMITRE ATT&CK techniques observed   
 Possible web shell installation   Installation  
 Possible IIS web shell   Installation   
 Suspicious Exchange Process Execution   Actions  
 Possible exploitation of Exchange Server vulnerabilities  (Requires Exchange AMSI to be enabled) Exploitation  
 Suspicious processes indicative of a web shell   Actions  
 Possible IIS compromise   Actions  

Microsoft Sentinel

Based on what we’re seeing in the wild, Microsoft Sentinel customers can use the following techniques for web shell-related attacks connected to these vulnerabilities. Our post on web shell threat hunting with Microsoft Sentinel also provides general guidance on looking for web shells. 

The Exchange SSRF Autodiscover ProxyShell detection, created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new Exchange Server Suspicious File Downloads and Exchange Worker Process Making Remote Call queries look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activities:

Microsoft 365 Defender

Use this query to hunt for Chopper web shell activity:

| where InitiatingProcessFileName =~ "w3wp.exe"
| where ProcessCommandLine has_any ("&ipconfig&echo", "&quser&echo", "&whoami&echo", "&c:&echo", "&cd&echo", "&dir&echo", "&echo [E]", "&echo [S]")

Suspicious files in Exchange directories

Use this query to hunt for suspicious files in Exchange directories:

| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "FrontEnd\HttpProxy\"
| where InitiatingProcessCommandLine contains "MSExchange"
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp

Details on the vulnerabilities

CVE-2022-41040, is a Server-Side Request Forgery (SSRF) – 

A vulnerability has been found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This vulnerability affects an unknown part. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was published on 09/30/2022. The advisory is available at This vulnerability was named CVE-2022-41040. Technical details are unknown but an exploit is available. 

The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation from vulndb) even tough exploit was developed by 

It is declared as highly functional.

It is possible to mitigate the problem by applying the configuration setting.

Why EPSS alone was not active – EPSS currently is scoring vulnerabilities at 0.0 (data still needs to be retrieved)

CTI information gives a range from 8 to now 5 after successful mitigation

CVE-2022-41082– Microsoft Advisory

Currently actively exploited in the wild with persistence – exploit is less active than CVE-2022-41040,

A vulnerability was found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This issue affects an unknown code of the component PowerShell Handler. Impacted is confidentiality, integrity, and availability.

The weakness was released on 09/30/2022. It is possible to read the advisory at The identification of this vulnerability is CVE-2022-41082. Technical details are unknown but an exploit is available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation from vulndb).

Indicators of Compromise (IOCs)

credits GTSC (


File Name: pxh4HG1v.ashx

                Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

                Path: C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthpxh4HG1v.ashx

File Name: RedirSuiteServiceProxy.aspx

                Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5

                Path: C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthRedirSuiteServiceProxy.aspx

File Name: RedirSuiteServiceProxy.aspx

                Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca

                Path: C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthRedirSuiteServiceProxy.aspx

File Name: Xml.ashx (pxh4HG1v.ashx and Xml.ashx, 2 files have the same contents)

                Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

                Path: C:inetpubwwwrootaspnet_clientXml.ashx

Filename: errorEE.aspx

SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257

Path: C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaautherrorEE.aspx


File name: Dll.dll







File name: 180000000.dll (Dump từ tiến trình Svchost.exe)

SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e























Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Owasp top 10 has been a pillar over the years; sister to CWE – Common Weakness Enumeration we provide an overview of the top software vulnerabilities and web application security risks with a data-driven approach focused on helping identify what risk to fix first.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Asset and Vulnerability Management – Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
With cyber threats growing in sophistication, understanding exploitability has become crucial for security teams to prioritize vulnerabilities effectively. This article explores the key factors that influence the likelihood of exploits in the wild, including attack vectors, complexity levels, privileges required, and more. You’ll learn how predictive scoring systems like EPSS are bringing added dimensions to vulnerability analysis, going beyond static scores. We discuss the importance of monitoring verified threat feeds and exploiting trends from reliable sources, instead of getting distracted by unverified claims and noise. Adopting a risk-based approach to prioritization is emphasized, where critical vulnerabilities are addressed not just based on CVSS severity, but also their likelihood of being exploited and potential business impact. Recent major exploits like Log4Shell are highlighted to stress the need for proactive security. Equipped with the insights from this guide, you’ll be able to implement a strategic, data-backed approach to focusing on the most pertinent risks over the barrage of vulnerabilities.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Improved Management your Vulnerabilities and Assets Display “Closed” vulnerabilities list page Display vulnerability stats in Asset screens Override asset exposure for whole Apps/Envs Filter on-screen dynamic statistical and insights Risk-based Posture Management Update risk formula structure Update Vuln risk formula factors Integrations Configure “vulnerability types” fetched from SonarCloud/SonarQube Users can manually trigger a “scanner refresh” Update Jira tickets when the associated vulnerability is closed Other Improvements Handle large number of items in Treemap chart Improved scanner flow: don’t fetch targets until needed Improved performance of MTTR queries
Alfonso Eusebio

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By