CVE-2022-41082

What is Microsoft Exchange Server?

Microsoft Exchange Server is an on-premises enterprise email, calendar, and collaboration platform. Its deep integration into corporate networks, exposure to the internet for mail delivery, and high-value data stores make it one of the most targeted server products in the world. The ProxyNotShell vulnerability pair (CVE-2022-41040 + CVE-2022-41082) follows in a line of critical Exchange attack chains including ProxyLogon and ProxyShell.

Overview

CVE-2022-41082 is the second and critical stage of the ProxyNotShell exploit chain. It is a remote code execution vulnerability in Microsoft Exchange Server's PowerShell remoting endpoint, exploited via insecure deserialization (CWE-502). An authenticated attacker who has first used CVE-2022-41040 to reach the PowerShell endpoint via SSRF can then trigger arbitrary code execution by sending a specially crafted deserialization payload.

Together, the two CVEs enable a network-accessible attacker with only a low-privilege Exchange mailbox account to fully compromise the Exchange server with SYSTEM-equivalent privileges.

Affected Versions

Exchange Online (Microsoft 365) is not affected.

Technical Details

The PowerShell remoting interface in Exchange Server uses .NET serialization for remote management commands. The vulnerability (CWE-502) involves unsafe deserialization of attacker-controlled data passed through the PowerShell endpoint reached via the CVE-2022-41040 SSRF.

• Chain dependency: This CVE requires CVE-2022-41040 to route the malicious request to the PowerShell endpoint; neither bug alone achieves RCE
• Authentication required: Yes — low-privilege Exchange mailbox user; the SSRF hop satisfies backend authentication checks
• Attack complexity: Low — the deserialization payload is well-understood and tooled
• Impact: SYSTEM-level remote code execution on the Exchange server, including complete mailbox access, network lateral movement, and persistent backdoor installation
• OWASSRF variant: In December 2022, CrowdStrike documented a bypass of Microsoft's URL rewrite mitigation (OWASSRF) that routes the attack through the OWA endpoint instead of Autodiscover — this variant was used by Play and Cuba ransomware gangs

Discovery

Discovered by GTSC (GiaoThongTinHocSaiGon Technology Security Company) during active incident response in September 2022. GTSC reported both CVEs to Microsoft through Zero Day Initiative.

Exploitation Context

Active exploitation was observed before Microsoft's September 29, 2022 public disclosure. Threat actors observed deploying:

• Chinese Chopper web shells — a lightweight, file-based web shell widely used by Chinese-nexus actors
• Antsword and Behinder — remote access frameworks for post-exploitation
• Credential harvesting and lateral movement into enterprise networks

Post-patch exploitation continued through the OWASSRF bypass, with Play ransomware and Cuba ransomware confirmed using OWASSRF to deploy ransomware payloads on Exchange servers that had applied Microsoft's workaround but not the full November patch.

Remediation

1. Apply the November 2022 Exchange Security Update — the definitive fix for both CVE-2022-41040 and CVE-2022-41082
2. Do not rely solely on the URL rewrite workaround — it was bypassed by OWASSRF; patch is required
3. Disable PowerShell remoting for non-administrative users: New-ThrottlingPolicy -Name NoPS -ThrottlingPolicyScope Organization -PowerShellMaxConcurrency 0
4. Hunt for web shells in Exchange web directories and review IIS logs for suspicious POST requests to OWA or Autodiscover endpoints
5. Review Exchange audit logs for mailbox access by unexpected accounts after the initial access window (September–November 2022)