Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Apr

Elevate IT Technology Summit Tampa

Apr

ILTA Evolve

Apr

RSAC™ 2025 Conference

May

SIM Houston Women's Roundtable

May

Computing Cybersecurity Festival

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

eSentire is aware of public Proof-of-Concept (PoC) exploit code for the ProxyNotShell Exchange vulnerabilities (CVE-2022-41040 [CVSS:8.8], CVE-2022-41082 [CVSS:8.0]). The publication of this PoC code is expected to result in an increase in real-world attacks exploiting these vulnerabilities in the immediate future.

The ProxyNotShell vulnerabilities impact Microsoft Exchange Server 2013, 2016, 2019. CVE-2022-41082 allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, that would allow an attacker to run PowerShell in the context of the compromised system. Both vulnerabilities require previous authentication for exploitation.

Limited exploitation of these vulnerabilities has been ongoing since at least September 2022. eSentire released a Security Advisory regarding ProxyNotShell on September 30th; at the time eSentire assessed with 'high confidence that the release of PoC code will result in an increase in real-world attacks against Exchange servers by multiple threat actor groups'. eSentire’s assessment remains the same, and additional attacks exploiting these vulnerabilities are expected.

What we’re doing about it

eSentire Managed Vulnerability Service (MVS) has plugins in place to identify both vulnerabilities
- Customers with identified vulnerable devices are being contacted by eSentire’s Security Operations Center (SOC)
eSentire MDR for Network has rules in place to detect exploitation attempts
IP addresses, associated with real-world attacks, have been blocked via the eSentire Global Deny List
The eSentire Threat Response Unit (TRU) has performed threat hunts across the eSentire client base for known signs of exploitation based on the September campaigns
eSentire MDR for Endpoint has detections in place to identify known post- compromise activity such as the deployment of webshells, including China Chopper
eSentire security teams continue to track these vulnerabilities for additional details and detection opportunities

What you should do about it

After performing a business impact review, apply the relevant security patches released by Microsoft on November 8th, 2022
If patching is not immediately possible, alternative mitigations are available
Microsoft Exchange Online Customers do not need to take any additional actions

Additional information

The PoC exploit code has been tested and found effective against unpatched Exchange Server versions 2016 and 2019. Exploitation of Exchange Server 2013 would require additional code changes to the exploit code.

The ProxyNotShell vulnerabilities were initially disclosed in late September 2022. Microsoft released security patches for both vulnerabilities in the November 2022 Patch Tuesday release. Researchers have dubbed these exploits ProxyNotShell, as they have the same path and SSRF/RCE pair required to exploit ProxyShell, with the additional requirement of authentication. In known real-world attacks, threat actors have exploited the pair of vulnerabilities to deploy the China Chopper webshell on impacted Microsoft Exchange servers.

References:
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
[3] https://www.esentire.com/security-advisories/microsoft-exchange-vulnerabilities-exploited

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

From The Blog

The Long and Short(cut) of It: KoiLoader Analysis

From Access to Encryption: Dissecting Hunters International's Latest…

eSentire and Qylis Form Strategic Partnership to Deliver Compliant…

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

CrushFTP Authentication Bypass

Critical Next.js Vulnerability (CVE-2025-29927)