View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 4, 2023

More than 60,000 Microsoft Exchange Servers still vulnerable to ProxyNotShell

Despite repeated warnings, many businesses have not taken steps to combat the problem which leaves systems open to attack.

By Claudia Glover

More than 60,000 Microsoft Exchange Servers remain unpatched and vulnerable against the so-called ProxyNotShell vulnerability, it has been revealed. Exchange Server vulnerabilities are popular among criminal gangs, and security agencies have released strict guidelines for implementing patches or separating the servers from the internet to try to counter potential attacks.

Microsoft says it is working quickly to fix the two zero-day exploits in Exchange Server (Photo: monticello/Shutterstock)
More than 60,000 Microsoft exchange servers are still vulnerable to attack. (Photo by monticello/Shutterstock)

Data released this week by the ShadowServer Foundation, a non-profit focusing on internet security, found that 60,865 servers have not yet been patched against the vulnerability, which was discovered last year.

How ProxyNotShell impacts Microsoft Exchange servers

ProxyNotShell is the name given to two specific Microsoft Exchange server vulnerabilities, CVE-2022-41082 and CVE-2022-41040. These exploits affect Exchange Servers 2013, 2016 and 2019 and, once deployed, enable attackers to carry out remote code execution on compromised systems.

Microsoft released patches for the ProxyNotShell vulnerabilities in November, but many companies have been slow to implement the security measures, despite Microsoft stating at the time that it “recommends that customers protect their organisations by applying the updates immediately to affected systems”.

Hacking gangs Play, LockBit and BlackCat are among those known to have taken advantage of the vulnerability. Play uses Microsoft Exchange Server vulnerabilities as a leading technique of intrusion, according to security company Crowdstrike. While investigating Play’s attack tactics, researchers found Microsoft Exchange servers were exploited almost every time. “It appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange,” the Crowdstrike report says.

US cybersecurity agency CISA, its UK equivalent the National Cyber Security Centre (NCSC), and the FBI, have all released guidance urging companies to keep Microsoft Exchange server patches up to date to guard against exploitation of vulnerabilities such as ProxyNotShell.

“If organisations cannot install the updates or apply any of the mitigations the NCSC recommends isolating the exchange server from the internet,” NCSC guidance says.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Rackspace hack highlights vulnerability of Microsoft Exchange servers

Meanwhile other vulnerabilities in Microsoft Exchange have also proved problematic for businesses. The recent attack on Rackspace was perpetrated by Play, and left users of Rackspace’s managed Microsoft Exchange environment without access to their emails. Karen O’Reilly-Smith, Rackspace’s chief security officer, explained that the attack was linked to a zero-day exploit associated with CVE-2022-41080.

The incident was first announced on 2 December last year, and the company is still working through returning lost data to customers impacted by the attack.

“Microsoft disclosed CVE-2022-41080 as privilege escalation vulnerability, and did not include notes for being part of a Remote Code Execution chain that was exploitable,” O’Reilly-Smith said.

Read more: Fake Microsoft Exchange zero-day vulnerabilities are on sale

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.