Let’s break down two major Microsoft Exchange Server vulnerabilities: ProxyShell and ProxyNotShell. Both have been exploited in the wild and can lead to Remote Code Execution (RCE) and full server compromise.

🧨 ProxyShell Vulnerability

🔍 What Is ProxyShell?

ProxyShell is a chain of three vulnerabilities in Microsoft Exchange Server that allows unauthenticated remote code execution. It was disclosed in 2021 and affects Exchange 2013, 2016, and 2019.

🧩 CVEs Involved

• CVE-2021-34473 – Path confusion vulnerability
• CVE-2021-34523 – Privilege escalation via PowerShell
• CVE-2021-31207 – Arbitrary file write leading to RCE

🧠 How It Works

1. Bypass authentication using path confusion.
2. Escalate privileges via PowerShell backend.
3. Write web shell to disk and execute arbitrary code.

⚠️ Impact

• Full server takeover
• Deployment of ransomware
• Data exfiltration

🛡️ Mitigation

• Apply latest Cumulative Updates (CU) and Security Updates (SU)
• Disable unnecessary services
• Monitor for suspicious PowerShell activity

🔗 Microsoft’s official guidance

🧨 ProxyNotShell Vulnerability

🔍 What Is ProxyNotShell?

ProxyNotShell is a zero-day vulnerability chain discovered in 2022. It affects Exchange 2013, 2016, and 2019 and requires authenticated access to exploit.

🧩 CVEs Involved

• CVE-2022-41040 – Server-side request forgery (SSRF)
• CVE-2022-41082 – PowerShell deserialization RCE

🧠 How It Works

1. Authenticated attacker exploits SSRF to access PowerShell backend.
2. Deserialization flaw allows remote code execution.
3. Web shell deployment for persistent access.

⚠️ Impact

• Requires low-privileged user credentials
• Can lead to full Exchange compromise
• Used to deploy China Chopper web shells

🛡️ Mitigation

• Apply Microsoft’s patches
• Restrict access to Outlook Web App (OWA)
• Monitor IIS logs for suspicious autodiscover requests

🔗 CSO Online breakdown