Background
In late September 2022, Vietnamese security firm GTSC reported that two new Exchange vulnerabilities were being actively exploited in the wild — before Microsoft had patches ready. The pair were quickly dubbed “ProxyNotShell” (a reference to ProxyShell, with the “not” acknowledging they’re different bugs requiring different exploitation techniques). CVE-2022-41040 is the SSRF component, and CVE-2022-41082 is the RCE that follows.
Unlike ProxyShell, these vulnerabilities require the attacker to be authenticated with a valid Exchange account. That’s a meaningful hurdle in some environments, but in practice attackers were obtaining credentials via credential stuffing, phishing, or buying them from initial access brokers — and any low-privilege mailbox user was enough.
Technical Mechanism
Exchange’s Autodiscover feature routes requests to backend services. CVE-2022-41040 exploits a URL pattern vulnerability in this routing mechanism, essentially a variation on the ProxyShell theme but with different triggering conditions.
The attack path:
- An authenticated user sends a crafted request to
https://[exchange]/autodiscover/autodiscover.json?@[domain]/owa/with specific URL patterns - Exchange’s Client Access Service processes this and proxies the request to the backend PowerShell service in the context of the authenticated user’s session
- This SSRF enables reaching the Exchange PowerShell remoting endpoint (
/powershell/)
Then CVE-2022-41082 takes over:
- With access to the PowerShell remoting endpoint, the attacker executes arbitrary PowerShell commands in the Exchange context
- The
New-MailboxExportRequestcmdlet (or similar) writes arbitrary files to disk, dropping a webshell
The key difference from ProxyShell: the attacker needs valid Exchange credentials. This initially led Microsoft to downplay the urgency, which was a mistake — credentials are cheap, and the CVSS score of 8.8 reflects the authentication prerequisite.
Real-World Exploitation Evidence
GTSC identified active exploitation targeting their clients in August 2022. The threat actors were deploying:
- China Chopper webshells — classic backdoor used by Chinese APT groups
- ANTSWORD — a Chinese-language web shell management tool
- FINALDRAFT — a custom implant observed in later campaigns leveraging this access
Microsoft Threat Intelligence assessed the activity as consistent with state-sponsored Chinese threat actors based on TTPs, targeting, and tool selection.
The access was used for credential harvesting, email reconnaissance, and establishing persistent backdoors on Exchange servers before lateral movement deeper into victim networks.
Impact Assessment
Exploitation achieves Exchange System account access — not quite domain admin, but close:
- Arbitrary code execution on the Exchange server
- Webshell persistence — these survive patching
- Full email access across the organisation
- Credential harvesting via LSASS dump or exchange database access
- Internal network access — Exchange servers are typically well-connected internally
- Domain escalation — Exchange’s AD permissions (WriteDACL on domain objects by default in many configs) can be abused to escalate to domain admin
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Microsoft Exchange Server 2013 | All versions | November 2022 SU |
| Microsoft Exchange Server 2016 | CU23 and earlier | CU23 Nov 2022 SU |
| Microsoft Exchange Server 2019 | CU12 and earlier | CU12 Nov 2022 SU |
Remediation Steps
- Apply November 2022 Exchange Security Updates (November 2022 Patch Tuesday)
- As a temporary mitigation before patching, add a blocking rule via the Exchange Emergency Mitigation Service (EEMS):
# Enable EEMS on Exchange server (automatic mitigation) Set-ExchangeServer -Identity <ServerName> -MitigationsEnabled $true - Alternatively, block the pattern via URL Rewrite in IIS — add a rule blocking requests to
autodiscover.jsonwith the@pattern in the URL - Audit for webshells in Exchange directories (standard post-ProxyShell checklist applies)
- Review IIS logs for requests matching the Autodiscover URL pattern with
@characters - Check Exchange PowerShell logs for unexpected cmdlet execution, particularly
New-MailboxExportRequest - Rotate all Exchange service account credentials if compromise is suspected
Detection Guidance
IIS logs — search for requests to /autodiscover/autodiscover.json with @ followed by a path segment. These requests should not normally occur from external sources.
Regex pattern:
/autodiscover/autodiscover\.json\?@[^/]+/Windows Event Logs — PowerShell script block logging (Event IDs 4103/4104) for Exchange PowerShell remoting sessions from unexpected source IPs.
Exchange logs — look in C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Autodiscover\ for suspicious request patterns.
Suricata signature:
alert http any any -> $HTTP_SERVERS any (msg:"Exchange ProxyNotShell CVE-2022-41040 SSRF Attempt"; flow:established,to_server; http.uri; content:"/autodiscover/autodiscover.json"; content:"@"; distance:0; within:100; pcre:"/autodiscover\.json\?@[^\/]+\//i"; classtype:web-application-attack; sid:2034006; rev:1;)Timeline
| Date | Event |
|---|---|
| August 2022 | GTSC identifies active exploitation by suspected Chinese APT actors |
| 29 September 2022 | GTSC discloses publicly; Microsoft acknowledges zero-day exploitation |
| October 2022 | Microsoft releases temporary mitigations; patches not yet available |
| 8 November 2022 | Microsoft releases patches in November 2022 Patch Tuesday |
| November 2022 | CISA adds to Known Exploited Vulnerabilities catalogue |
| 2022–2023 | Continued exploitation; webshells dropped during zero-day period found on unpatched systems |