CVE-2022-41040

What is Microsoft Exchange Server?

Microsoft Exchange Server is an on-premises email, calendar, and collaboration platform used by enterprises worldwide. As a hub for corporate communications, Exchange servers are high-value targets: they often hold sensitive email archives, operate with domain-level privileges, and are exposed to the internet for mail delivery. Exchange has a history of critical vulnerabilities — ProxyLogon (2021), ProxyShell (2021), and now ProxyNotShell (2022).

Overview

CVE-2022-41040 is the first stage of the ProxyNotShell exploit chain. It is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that allows an authenticated attacker to reach internal Exchange back-end components not directly accessible from the internet. When chained with CVE-2022-41082 (remote code execution via PowerShell deserialization), the pair enables a fully remote, authenticated attacker to execute arbitrary code on the Exchange server.

GTSC, a Vietnamese cybersecurity firm, discovered the vulnerability being actively exploited in the wild in September 2022 and reported it to Microsoft through the Zero Day Initiative. Microsoft confirmed exploitation before a patch existed and published mitigation guidance.

Affected Versions

Exchange Online (Microsoft 365) is not affected.

Technical Details

The SSRF vulnerability exists in the Exchange Autodiscover endpoint. An authenticated attacker can send a crafted HTTP request to the /autodiscover/autodiscover.json endpoint with a specially crafted URL parameter that tricks Exchange into making a backend request to an internal component — specifically the PowerShell remoting endpoint on port 444.

• Authentication required: Yes — low-privilege Exchange mailbox user is sufficient
• Attack complexity: Low — straightforward HTTP request with a manipulated URL parameter
• Chain dependency: This CVE alone provides SSRF access; remote code execution requires chaining with CVE-2022-41082
• Related vulnerability: Resembles ProxyShell (CVE-2021-34473) in attack surface; Microsoft's initial URL rewrite mitigation was bypassed by the OWASSRF variant discovered by CrowdStrike in December 2022

Discovery

Discovered by GTSC (GiaoThongTinHocSaiGon Technology Security Company) during incident response at a Vietnamese customer in late September 2022. GTSC reported the zero-day to Microsoft via Zero Day Initiative on September 28, 2022. Exploitation was already occurring before the report was submitted.

Exploitation Context

Active exploitation began before Microsoft's public disclosure. Observed attacks included:

• Deployment of Chinese Chopper web shells on Exchange servers
• Installation of remote access tools including Antsword and Behinder (commonly associated with Chinese-nexus threat actors)
• Reconnaissance and lateral movement following initial server compromise
• Later linked to ransomware deployment (Play, Cuba) via the OWASSRF bypass variant

The ransomware connection (ransomwareUse: true) reflects post-patch exploitation using the OWASSRF variant, where attackers bypassed Microsoft's initial URL rewrite mitigation.

Remediation

1. Apply the November 2022 Exchange Security Update for your CU version — this is the definitive fix
2. If patching is delayed, apply Microsoft's URL rewrite mitigation rule (note: the original rule was bypassed by OWASSRF; ensure you have the updated rule)
3. Disable remote PowerShell access for non-admin users where possible
4. Review Exchange HTTP logs for requests to /autodiscover/autodiscover.json with unusual Email or Protocol parameters
5. Hunt for web shells in Exchange's \inetpub\wwwroot\aspnet_client\ and \Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ directories