Nearly 60,000 of Exchange Server instances are still vulnerable to the ProxyNotShell flaws, a new research found.

ProxyNotShell is a moniker for a set of two high-severity Microsoft Exchange vulnerabilities (CVE-2022-41082 and CVE-2022-41040) that have been exploited in hacker attacks linked to a China-based threat actor. CVE-2022-41082 is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while CVE-2022-41040 allows a remote attacker to perform SSRF attacks. Both bugs were fixed as part of Microsoft’s November 2022 Patch Tuesday release.

Last month, cybersecurity firm CrowdStrike revealed that the Play ransomware was using a new exploit chain, dubbed ‘OWASSRF,’ that bypasses ProxyNotShell mitigations to achieve remote code execution on vulnerable servers through Outlook Web Access (OWA).

Shortly after CrowdStrike’s report was released, Shadowserver, a cybersecurity nonprofit dedicated to data collection and analysis, discovered 83,946 Microsoft Exchange Server instances likely vulnerable to CVE-2022-41082. As of January 2, the number of vulnerable servers dropped to 60,865.

Vulnerable Exchange servers are valuable targets for cybercriminals, who often use compromised servers as a way to break into organizations’ networks. For instance, FIN7, a well-known, financially motivated group focused on targeting businesses worldwide, developed an auto-attack system, which scans for multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.