A security researcher known online as “Janggggg” has published a proof-of-concept (PoC) code for a pair of high-severity Microsoft Exchange vulnerabilities dubbed “ProxyNotShell” said to have been actively exploited in the wild since at least September 2022.
The two flaws (CVE-2022-41040 and CVE-2022-41082) impact Microsoft Exchange Server 2013, 2016, and 2019 and allow attackers to elevate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on breached servers.
A China-linked threat group have been observed exploiting the vulnerabilities to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks. The ProxyNotShell bugs were fixed by Microsoft earlier this month as part of the November 2022 Patch Tuesday release.
The well-known cybersecurity researcher Will Dormann has confirmed that the exploit works against Exchange Server 2016 and 2019, as well as Exchange Sever 2013, albeit with some tweaking.
The availability of the exploit for the ProxyNotShell flaws considerably increases the risk of hacker attacks, so all Microsoft Exchange users are strongly recommended to apply the relevant patch as soon as possible.