CVE-2022-41040 (ProxyNotShell)

CVSS v3.1 8.8 (High)

EPSS 95.90 % (100^th)

Affected Products 1

Advisories 3

NVD Status Analyzed

Microsoft Exchange Server Elevation of Privilege Vulnerability

Weaknesses

CWE-918: Server-Side Request Forgery (SSRF)

Alias

ProxyNotShell

Related CVEs

CVE-2022-41082

CVE Status: PUBLISHED
NVD Status: Analyzed
CNA: Microsoft Corporation
Published Date: 2022-10-03 01:15:08
(23 months ago)
Updated Date: 2024-06-28 13:57:25
(2 months ago)

Microsoft Exchange Server Server-Side Request Forgery Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)

Description: Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Known to be Used in Ransomware Campaigns: Known
Notes: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Vendor: Microsoft
Product: Exchange Server
In CISA Catalog from: 2022-09-30
(23 months ago)
Due Date: 2022-10-21
(22 months ago)

Affected Products

Microsoft

Exchange Server

Configuration #1

		CPE23	From	Up To
	Microsoft Exchange Server 2013 Cumulative Update 23	cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23
	Microsoft Exchange Server 2016 Cumulative Update 22	cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22
	Microsoft Exchange Server 2016 Cumulative Update 23	cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23
	Microsoft Exchange Server 2019 Cumulative Update 11	cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11
	Microsoft Exchange Server 2019 Cumulative Update 12	cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12