CVE-2022-41040 and CVE-2022-41082 Explained: ProxyNotShell, the Microsoft Exchange Chain
Two chained Exchange Server vulnerabilities, an SSRF and a PowerShell RCE, requiring only valid credentials to achieve full server compromise. Disclosed September 2022, exploited before patches existed.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2022-41040 and CVE-2022-41082 are two Microsoft Exchange Server vulnerabilities that, when chained, allow an authenticated attacker with a valid mailbox account to achieve remote code execution on the Exchange server. The combination was named ProxyNotShell by the security community due to its similarity to the ProxyShell exploit chain from 2021.
The vulnerabilities were discovered by Vietnamese cybersecurity firm GTSC during an incident response engagement in August 2022, where attackers were actively using them as a zero-day. GTSC reported the findings to Microsoft through the Zero Day Initiative. Microsoft confirmed active exploitation and published mitigation guidance while developing patches, which were released in November 2022.
The ProxyNotShell Chain: SSRF to PowerShell RCE
CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server's Autodiscover component. When exploited, it allows an authenticated attacker to make the Exchange server issue HTTP requests to internal endpoints that should not be externally reachable, including the PowerShell remoting endpoint on port 44336.
CVE-2022-41082 is a remote code execution vulnerability accessible via Exchange's PowerShell remoting interface. Alone, it requires a network path to the PowerShell endpoint that is typically not internet-accessible. Chained with CVE-2022-41040, the SSRF provides exactly that path, routing the attacker's crafted PowerShell commands through Exchange's own internal request mechanism.
The combined attack requires valid Exchange credentials (any mailbox user with no special permissions) and network access to the Exchange server's HTTPS interface on port 443. From that baseline, the chain achieves RCE running as SYSTEM on the Exchange server.
Shell artifacts observed in early exploitation included China Chopper-variant web shells, the same webshell family used in the ProxyLogon campaign of March 2021, suggesting continuity between threat actor toolsets targeting Exchange.
Authenticate with valid credentials
Attacker authenticates to Exchange using any valid mailbox account. Low-privilege credentials are sufficient, no admin rights required. Credentials may be obtained via phishing, credential stuffing, or prior compromise.
Exploit CVE-2022-41040 SSRF
Send a crafted request to the Autodiscover endpoint that causes Exchange to make an internal HTTP request to the Exchange PowerShell remoting endpoint (normally accessible only from localhost).
Reach PowerShell remoting endpoint
The SSRF routes the attacker's request to port 44336, Exchange's internal PowerShell endpoint, through the Exchange server itself, bypassing network-level access controls.
Exploit CVE-2022-41082 for RCE
Deliver a crafted PowerShell payload via the proxied connection that exploits the deserialization or command injection flaw in CVE-2022-41082, achieving code execution in the context of the Exchange server process.
Deploy web shell
Write a web shell (commonly China Chopper) to the Exchange web root or OWA directory, establishing persistent access that survives patching if not detected and removed.
ProxyNotShell Compared to ProxyLogon and ProxyShell
Microsoft Exchange has been the site of three major exploit chain disclosures in two years. ProxyLogon (March 2021) used an SSRF plus a post-auth file write to achieve pre-authentication RCE. ProxyShell (August 2021) chained three CVEs through the Exchange Autodiscover service for unauthenticated RCE. ProxyNotShell (September 2022) requires authentication, making it more constrained than its predecessors, but still broadly exploitable given the frequency with which Exchange credentials are exposed through phishing and credential breach.
A critical difference: ProxyNotShell was being actively exploited in the wild as a zero-day for at least a month before Microsoft confirmed it publicly. During that period, Microsoft issued URL rewrite rule mitigations that were subsequently found to be bypassable. The November 2022 Patch Tuesday release provided the complete fix.
The extended zero-day exploitation window, combined with the China Chopper web shell artifacts, led multiple threat intelligence firms to attribute early exploitation to Chinese state-sponsored actors, consistent with sustained interest in Exchange vulnerabilities for intelligence collection.
“We are aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.”
Microsoft Security Response Center, September 29, 2022
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Mitigating ProxyNotShell
Microsoft released patches for CVE-2022-41040 and CVE-2022-41082 on November 8, 2022 (November Patch Tuesday). All Exchange Server deployments must be updated. The following additional steps address post-exploitation risk.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
ProxyNotShell is the third major Exchange exploit chain in two years, following ProxyLogon and ProxyShell. The pattern is consistent: Exchange's complexity, its deep integration with Windows authentication, and its exposure as an internet-facing service make it a persistent high-value target.
The authentication requirement is meaningful but not a strong barrier. Exchange credentials are routinely exposed through phishing, password spraying, and credential breach datasets. Any attacker with a mailbox account, including those obtained through commodity credential theft, had a viable path to SYSTEM-level RCE on Exchange servers during the ProxyNotShell zero-day window.
Organizations running on-premises Exchange should treat every Exchange-targeted vulnerability as a potential zero-day scenario with active exploitation, apply patches within 48 hours, and implement post-patch compromise assessments. The better long-term answer for many organizations is Exchange Online migration, which shifts the patching responsibility to Microsoft and eliminates the on-premises attack surface entirely.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is ProxyNotShell (CVE-2022-41040 / CVE-2022-41082)?
ProxyNotShell is a two-CVE chain in Microsoft Exchange Server. CVE-2022-41040 is an SSRF that provides access to Exchange's internal PowerShell remoting endpoint. CVE-2022-41082 is an RCE via that PowerShell endpoint. Together they allow an authenticated attacker with any valid mailbox account to achieve SYSTEM-level code execution on the Exchange server.
What credentials are needed to exploit ProxyNotShell?
Any valid Exchange mailbox account with no special permissions. Low-privilege credentials sufficient. This means phished or breached email credentials directly enable server compromise.
How do I fix ProxyNotShell?
Apply Microsoft's November 2022 Patch Tuesday updates for Exchange Server 2013, 2016, and 2019. Ensure the IIS URL Rewrite module is installed (required for Microsoft's interim mitigation). Exchange Online is not affected.
Is Exchange Online (Microsoft 365) affected by ProxyNotShell?
No. CVE-2022-41040 and CVE-2022-41082 only affect on-premises Exchange Server 2013, 2016, and 2019. Microsoft manages and patches Exchange Online before vulnerabilities can be exploited externally. Organizations that have fully migrated to Exchange Online or Microsoft 365 are not affected. This is one of the primary security arguments for migrating from on-premises Exchange to the cloud-hosted service, eliminating exposure to recurring Exchange vulnerability chains.
How long was ProxyNotShell exploited as a zero-day before Microsoft patched it?
Vietnamese cybersecurity firm GTSC discovered CVE-2022-41040 and CVE-2022-41082 being exploited during an incident response engagement in August 2022 and reported the findings to Microsoft through Zero Day Initiative. Microsoft confirmed the vulnerabilities and published mitigation guidance September 29, 2022. The November 8, 2022 Patch Tuesday released the complete fix. This means ProxyNotShell was exploited in the wild for approximately 3 months before patches were available, with Chinese state-sponsored actors among the confirmed early exploiters.
Did Microsoft's interim URL Rewrite mitigations fully block ProxyNotShell?
No. Microsoft's initial URL Rewrite rule mitigations published September 29, 2022 were found to be bypassable. Security researchers identified bypass methods within days of publication. Microsoft updated the mitigation rules multiple times before the November 2022 Patch Tuesday release. This pattern of incomplete mitigations reinforced that temporary workarounds should be treated as delay tactics enabling patching preparation, not as definitive fixes. Organizations that relied on the interim mitigation without applying the November patches remained exposed via bypass methods.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
