Nearly 70K Unpatched Exchange Servers Are Sitting Ducks For ProxyNotShell Exploit
We all like to think our organization's e-mail is secure—secure in the knowledge that your IT administrator is keeping things up to date, safe, and secure. After all, you have to change your password every three months, right? Well, according to a recent report there are more than 70,000 Microsoft Exchange servers unpatched and vulnerable to an exploit known as ProxyNotShell.
We reported on ProxyNotShell back in October of 2022 and Microsoft provided some mitigation options that were rapidly overcome by the bad actors. The exploit, labeled as CVE-2022-41082, is a method in which an attacker can form malicious server requests which the server will handle and through this create arbitrary and remote code executions. This in turn would allow an attacker to gain administrative rights and access to the entire exchange server implementation. The attack vector itself seems to be through Outlook Web Access. A pre-existing user must exist before being able to exploit the vulnerability, however the level of access for that user does not seem to matter.
According to non-profit security research organization, ShadowServer, it ran scans indicating that more than 70,000 public facing IP addresses with Exchange deployed responded back with version numbers lower than that of the November 2022 Patch which resolves the issue. While this is much lower than the number of unpatched server before the release, it does mean there's still a pretty hefty quantity of servers that are vulnerable.
We are reporting out Microsoft Exchange servers still likely vulnerable to CVE-2022-41082 #ProxyNotShell. Nearly 70K IPs found without MS patches applied (based on version info). Previously recommended mitigation techniques can be bypassed by attackershttps://t.co/ApcM9HwiOK pic.twitter.com/dGA0LvEAbG
— Shadowserver (@Shadowserver) December 26, 2022
According to the Tweet from ShadowServer, the majority of those still affected by the vulnerability are in the United States and Germany. We understand the desire not to upgrade certain mission critical software, such as Microsoft Exchange. It is a beast of an application and many organizations cannot afford e-mail downtime. However in many cases, the cost-risk analysis of not doing the upgrade means a heightened vulnerability to attackers that in turn could end up with much more sensitive information getting leaked or breached. That in turn can lead to far more problems for your organization down the line. So to those of you who still haven't upgraded to at least that patch, we highly recommend you do so.
