Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Apr

RSAC™ 2025 Conference

May

Computing Cybersecurity Festival

May

SIM Houston Women's Roundtable

May

CISO Strategy Virtual Meetings Seattle

May

May TRU Intelligence Briefing

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On September 29^th, 2022, GTSC disclosed two new vulnerabilities impacting Microsoft Exchange Servers. The vulnerabilities are tracked as CVE-2022-41040 (CVSS:8.8) and CVE-2022-41082 (CVSS:6.3).

CVE-2022-41082 allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability. Microsoft has confirmed that authenticated access to the vulnerable Exchange server is required to exploit both vulnerabilities. The vulnerabilities impact Microsoft Exchange Server versions 2013, 2016, and 2019.

Exploitation of CVE-2022-41040 and CVE-2022-41082 have been identified in the wild. Organizations are strongly recommended to apply the relevant mitigations provided by Microsoft. Once security patches are released, they should be applied as soon as possible.

What we’re doing about it

eSentire Managed Vulnerability Service (MVS) will add plugins for this vulnerability when they become available
IP addresses associated with real-world attacks have been blocked via the eSentire Global Deny List
The eSentire Threat Response Unit (TRU) has performed threat hunts across the eSentire client base for signs of exploitation
eSentire MDR for Endpoint has detections in place to identify known post- compromise activity such as the deployment of webshells, including China Chopper
eSentire MDR for Network has detections in place to identify the China Chopper webshell
eSentire security teams are tracking these vulnerabilities for additional details and detection opportunities

What you should do about it

Microsoft Exchange Online Customers do not need to take any additional actions
On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports described in the Microsoft Customer Guidance
Clients with endpoint monitoring in place should ensure endpoint agents are deployed to critical servers such as Exchange

Additional information

In these attacks, CVE-2022-41040 can enable an authenticated attacker to trigger CVE-2022-41082 remotely. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. This is the same pair of exploits seen previously in the ProxyShell vulnerabilities. There is no known impact on Exchange functionality if the URL Rewrite module is installed as recommended.

Researchers have dubbed these exploits ProxyNotShell, as it is the same path and SSRF/RCE pair required to exploit ProxyShell, with the additional requirement of authentication. GTSC’S Red team successfully used the above path to access a component in the Exchange backend and perform RCE. However, GTSC has not released technical details of the vulnerability yet.

GTSC has seen customers experiencing a similar attack leading to webshell through Exchange services. Microsoft also verified limited targeted attacks using the two vulnerabilities. The impact has led to webshell installations aiming to exfiltrate information. There is no concrete attribution at this time, however, Tactics Techniques and Procedures (TTPs), such as the use of China Chopper webshell, align with Chinese-based threat actors.

While Proof-of-Concept (PoC) exploit code is not currently available, the eSentire Threat Intelligence team asses with high confidence that the release of PoC code will result in an increase in real-world attacks against Exchange servers by multiple threat actor groups.

References:

[1] https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
[2] https://www.helpnetsecurity.com/2022/09/30/cve-2022-41040-cve-2022-41082/
[3] https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9?gi=98d52c1539ea
[4] https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41040
[7] https://www.esentire.com/blog/proxyshell-microsoft-exchange-vulnerabilities-exploited

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

From The Blog

Unlocking New Possibilities for Network Monitoring and Security with…

Sock(et) Puppet: How RansomHub Affiliates Pull the Strings

Phish & Chips: Serving Up Tycoon 2FA’s Secrets

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

Maximum Severity SAP Vulnerability Exploited

CrushFTP Authentication Bypass