CVE-2022-41040 and CVE-2022-41082 Explained: ProxyNotShell, the Microsoft Exchange Chain
Two chained Exchange Server vulnerabilities — an SSRF and a PowerShell RCE — requiring only valid credentials to achieve full server compromise. Disclosed September 2022, exploited before patches existed.
Founder & Cybersecurity Evangelist
CVE-2022-41040 and CVE-2022-41082 are two Microsoft Exchange Server vulnerabilities that, when chained, allow an authenticated attacker with a valid mailbox account to achieve remote code execution on the Exchange server. The combination was named ProxyNotShell by the security community due to its similarity to the ProxyShell exploit chain from 2021.
The vulnerabilities were discovered by Vietnamese cybersecurity firm GTSC during an incident response engagement in August 2022, where attackers were actively using them as a zero-day. GTSC reported the findings to Microsoft through the Zero Day Initiative. Microsoft confirmed active exploitation and published mitigation guidance while developing patches, which were released in November 2022.
The ProxyNotShell Chain: SSRF to PowerShell RCE
CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server's Autodiscover component. When exploited, it allows an authenticated attacker to make the Exchange server issue HTTP requests to internal endpoints that should not be externally reachable — including the PowerShell remoting endpoint on port 44336.
CVE-2022-41082 is a remote code execution vulnerability accessible via Exchange's PowerShell remoting interface. Alone, it requires a network path to the PowerShell endpoint that is typically not internet-accessible. Chained with CVE-2022-41040, the SSRF provides exactly that path — routing the attacker's crafted PowerShell commands through Exchange's own internal request mechanism.
The combined attack requires valid Exchange credentials (any mailbox user with no special permissions) and network access to the Exchange server's HTTPS interface on port 443. From that baseline, the chain achieves RCE running as SYSTEM on the Exchange server.
Shell artifacts observed in early exploitation included China Chopper-variant web shells — the same webshell family used in the ProxyLogon campaign of March 2021 — suggesting continuity between threat actor toolsets targeting Exchange.
Authenticate with valid credentials
Attacker authenticates to Exchange using any valid mailbox account. Low-privilege credentials are sufficient — no admin rights required. Credentials may be obtained via phishing, credential stuffing, or prior compromise.
Exploit CVE-2022-41040 SSRF
Send a crafted request to the Autodiscover endpoint that causes Exchange to make an internal HTTP request to the Exchange PowerShell remoting endpoint (normally accessible only from localhost).
Reach PowerShell remoting endpoint
The SSRF routes the attacker's request to port 44336 — Exchange's internal PowerShell endpoint — through the Exchange server itself, bypassing network-level access controls.
Exploit CVE-2022-41082 for RCE
Deliver a crafted PowerShell payload via the proxied connection that exploits the deserialization or command injection flaw in CVE-2022-41082, achieving code execution in the context of the Exchange server process.
Deploy web shell
Write a web shell (commonly China Chopper) to the Exchange web root or OWA directory, establishing persistent access that survives patching if not detected and removed.
ProxyNotShell Compared to ProxyLogon and ProxyShell
Microsoft Exchange has been the site of three major exploit chain disclosures in two years. ProxyLogon (March 2021) used an SSRF plus a post-auth file write to achieve pre-authentication RCE. ProxyShell (August 2021) chained three CVEs through the Exchange Autodiscover service for unauthenticated RCE. ProxyNotShell (September 2022) requires authentication, making it more constrained than its predecessors — but still broadly exploitable given the frequency with which Exchange credentials are exposed through phishing and credential breach.
A critical difference: ProxyNotShell was being actively exploited in the wild as a zero-day for at least a month before Microsoft confirmed it publicly. During that period, Microsoft issued URL rewrite rule mitigations that were subsequently found to be bypassable. The November 2022 Patch Tuesday release provided the complete fix.
The extended zero-day exploitation window — combined with the China Chopper web shell artifacts — led multiple threat intelligence firms to attribute early exploitation to Chinese state-sponsored actors, consistent with sustained interest in Exchange vulnerabilities for intelligence collection.
“We are aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.”
— Microsoft Security Response Center, September 29, 2022
Patching and Mitigating ProxyNotShell
Microsoft released patches for CVE-2022-41040 and CVE-2022-41082 on November 8, 2022 (November Patch Tuesday). All Exchange Server deployments must be updated. The following additional steps address post-exploitation risk.
Apply November 2022 Exchange Security Updates
Install the November 8, 2022 Security Update for Exchange Server 2013, 2016, or 2019. This is the complete fix for both CVEs. Check that the update ran the EWS application pool restart and executed the post-install health check scripts.
Audit IIS logs for web shell indicators
Search Exchange IIS logs for POST requests to .aspx files in the OWA, ECP, or Autodiscover directories that do not match known application endpoints. China Chopper web shells typically receive short POST requests to a single ASPX file with an encoded command parameter.
Hunt for unauthorized accounts and persistence
Check for new local administrator accounts, new scheduled tasks, new Exchange transport rules, and unauthorized mailbox delegations. Attackers who established footholds during the zero-day window may have planted persistence mechanisms.
Enable Extended Protection for Authentication
Microsoft recommends enabling Extended Protection for Authentication on Exchange servers to harden against future NTLM relay and SSRF-based authentication bypass attacks. Run the provided ExchangeExtendedProtectionManagement.ps1 script after patching.
Restrict Exchange HTTPS access by IP where feasible
Limit which source IPs can reach Exchange HTTPS services. While Exchange often requires broad access, restricting OWA and Autodiscover to known geographic ranges or corporate egress IPs reduces the exploitable attack surface for externally facing components.
The bottom line
ProxyNotShell is the third major Exchange exploit chain in two years — following ProxyLogon and ProxyShell. The pattern is consistent: Exchange's complexity, its deep integration with Windows authentication, and its exposure as an internet-facing service make it a persistent high-value target.
The authentication requirement is meaningful but not a strong barrier. Exchange credentials are routinely exposed through phishing, password spraying, and credential breach datasets. Any attacker with a mailbox account — including those obtained through commodity credential theft — had a viable path to SYSTEM-level RCE on Exchange servers during the ProxyNotShell zero-day window.
Organizations running on-premises Exchange should treat every Exchange-targeted vulnerability as a potential zero-day scenario with active exploitation, apply patches within 48 hours, and implement post-patch compromise assessments. The better long-term answer for many organizations is Exchange Online migration, which shifts the patching responsibility to Microsoft and eliminates the on-premises attack surface entirely.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.