CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2022-41040 and CVE-2022-41082 Explained: ProxyNotShell, the Microsoft Exchange Chain

Two chained Exchange Server vulnerabilities, an SSRF and a PowerShell RCE, requiring only valid credentials to achieve full server compromise. Disclosed September 2022, exploited before patches existed.

8.8
CVSS (CVE-41082)
Auth
Required (Low Priv)
3
Affected Exchange Versions
0-day
Exploited Before Patch

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2022-41040 and CVE-2022-41082 are two Microsoft Exchange Server vulnerabilities that, when chained, allow an authenticated attacker with a valid mailbox account to achieve remote code execution on the Exchange server. The combination was named ProxyNotShell by the security community due to its similarity to the ProxyShell exploit chain from 2021.

The vulnerabilities were discovered by Vietnamese cybersecurity firm GTSC during an incident response engagement in August 2022, where attackers were actively using them as a zero-day. GTSC reported the findings to Microsoft through the Zero Day Initiative. Microsoft confirmed active exploitation and published mitigation guidance while developing patches, which were released in November 2022.

The ProxyNotShell Chain: SSRF to PowerShell RCE

CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server's Autodiscover component. When exploited, it allows an authenticated attacker to make the Exchange server issue HTTP requests to internal endpoints that should not be externally reachable, including the PowerShell remoting endpoint on port 44336.

CVE-2022-41082 is a remote code execution vulnerability accessible via Exchange's PowerShell remoting interface. Alone, it requires a network path to the PowerShell endpoint that is typically not internet-accessible. Chained with CVE-2022-41040, the SSRF provides exactly that path, routing the attacker's crafted PowerShell commands through Exchange's own internal request mechanism.

The combined attack requires valid Exchange credentials (any mailbox user with no special permissions) and network access to the Exchange server's HTTPS interface on port 443. From that baseline, the chain achieves RCE running as SYSTEM on the Exchange server.

Shell artifacts observed in early exploitation included China Chopper-variant web shells, the same webshell family used in the ProxyLogon campaign of March 2021, suggesting continuity between threat actor toolsets targeting Exchange.

1

Authenticate with valid credentials

Attacker authenticates to Exchange using any valid mailbox account. Low-privilege credentials are sufficient, no admin rights required. Credentials may be obtained via phishing, credential stuffing, or prior compromise.

2

Exploit CVE-2022-41040 SSRF

Send a crafted request to the Autodiscover endpoint that causes Exchange to make an internal HTTP request to the Exchange PowerShell remoting endpoint (normally accessible only from localhost).

3

Reach PowerShell remoting endpoint

The SSRF routes the attacker's request to port 44336, Exchange's internal PowerShell endpoint, through the Exchange server itself, bypassing network-level access controls.

4

Exploit CVE-2022-41082 for RCE

Deliver a crafted PowerShell payload via the proxied connection that exploits the deserialization or command injection flaw in CVE-2022-41082, achieving code execution in the context of the Exchange server process.

5

Deploy web shell

Write a web shell (commonly China Chopper) to the Exchange web root or OWA directory, establishing persistent access that survives patching if not detected and removed.

ProxyNotShell Compared to ProxyLogon and ProxyShell

Microsoft Exchange has been the site of three major exploit chain disclosures in two years. ProxyLogon (March 2021) used an SSRF plus a post-auth file write to achieve pre-authentication RCE. ProxyShell (August 2021) chained three CVEs through the Exchange Autodiscover service for unauthenticated RCE. ProxyNotShell (September 2022) requires authentication, making it more constrained than its predecessors, but still broadly exploitable given the frequency with which Exchange credentials are exposed through phishing and credential breach.

A critical difference: ProxyNotShell was being actively exploited in the wild as a zero-day for at least a month before Microsoft confirmed it publicly. During that period, Microsoft issued URL rewrite rule mitigations that were subsequently found to be bypassable. The November 2022 Patch Tuesday release provided the complete fix.

The extended zero-day exploitation window, combined with the China Chopper web shell artifacts, led multiple threat intelligence firms to attribute early exploitation to Chinese state-sponsored actors, consistent with sustained interest in Exchange vulnerabilities for intelligence collection.

We are aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.

Microsoft Security Response Center, September 29, 2022
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Mitigating ProxyNotShell

Microsoft released patches for CVE-2022-41040 and CVE-2022-41082 on November 8, 2022 (November Patch Tuesday). All Exchange Server deployments must be updated. The following additional steps address post-exploitation risk.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

ProxyNotShell is the third major Exchange exploit chain in two years, following ProxyLogon and ProxyShell. The pattern is consistent: Exchange's complexity, its deep integration with Windows authentication, and its exposure as an internet-facing service make it a persistent high-value target.

The authentication requirement is meaningful but not a strong barrier. Exchange credentials are routinely exposed through phishing, password spraying, and credential breach datasets. Any attacker with a mailbox account, including those obtained through commodity credential theft, had a viable path to SYSTEM-level RCE on Exchange servers during the ProxyNotShell zero-day window.

Organizations running on-premises Exchange should treat every Exchange-targeted vulnerability as a potential zero-day scenario with active exploitation, apply patches within 48 hours, and implement post-patch compromise assessments. The better long-term answer for many organizations is Exchange Online migration, which shifts the patching responsibility to Microsoft and eliminates the on-premises attack surface entirely.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is ProxyNotShell (CVE-2022-41040 / CVE-2022-41082)?

ProxyNotShell is a two-CVE chain in Microsoft Exchange Server. CVE-2022-41040 is an SSRF that provides access to Exchange's internal PowerShell remoting endpoint. CVE-2022-41082 is an RCE via that PowerShell endpoint. Together they allow an authenticated attacker with any valid mailbox account to achieve SYSTEM-level code execution on the Exchange server.

What credentials are needed to exploit ProxyNotShell?

Any valid Exchange mailbox account with no special permissions. Low-privilege credentials sufficient. This means phished or breached email credentials directly enable server compromise.

How do I fix ProxyNotShell?

Apply Microsoft's November 2022 Patch Tuesday updates for Exchange Server 2013, 2016, and 2019. Ensure the IIS URL Rewrite module is installed (required for Microsoft's interim mitigation). Exchange Online is not affected.

Is Exchange Online (Microsoft 365) affected by ProxyNotShell?

No. CVE-2022-41040 and CVE-2022-41082 only affect on-premises Exchange Server 2013, 2016, and 2019. Microsoft manages and patches Exchange Online before vulnerabilities can be exploited externally. Organizations that have fully migrated to Exchange Online or Microsoft 365 are not affected. This is one of the primary security arguments for migrating from on-premises Exchange to the cloud-hosted service, eliminating exposure to recurring Exchange vulnerability chains.

How long was ProxyNotShell exploited as a zero-day before Microsoft patched it?

Vietnamese cybersecurity firm GTSC discovered CVE-2022-41040 and CVE-2022-41082 being exploited during an incident response engagement in August 2022 and reported the findings to Microsoft through Zero Day Initiative. Microsoft confirmed the vulnerabilities and published mitigation guidance September 29, 2022. The November 8, 2022 Patch Tuesday released the complete fix. This means ProxyNotShell was exploited in the wild for approximately 3 months before patches were available, with Chinese state-sponsored actors among the confirmed early exploiters.

Did Microsoft's interim URL Rewrite mitigations fully block ProxyNotShell?

No. Microsoft's initial URL Rewrite rule mitigations published September 29, 2022 were found to be bypassable. Security researchers identified bypass methods within days of publication. Microsoft updated the mitigation rules multiple times before the November 2022 Patch Tuesday release. This pattern of incomplete mitigations reinforced that temporary workarounds should be treated as delay tactics enabling patching preparation, not as definitive fixes. Organizations that relied on the interim mitigation without applying the November patches remained exposed via bypass methods.

Sources & references

  1. NVD CVE-2022-41040
  2. NVD CVE-2022-41082
  3. Microsoft MSRC
  4. GTSC Discovery

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.