CVE-2022-41040 Overview
CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server that allows authenticated attackers to elevate privileges. This vulnerability, commonly known as "ProxyNotShell," enables attackers with valid credentials to remotely trigger the flaw and potentially chain it with other vulnerabilities for remote code execution. The vulnerability exists in the Exchange Server's Autodiscover endpoint, where improper handling of requests allows attackers to abuse the server's ability to make requests on behalf of the user.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities Catalog. Authenticated attackers can exploit this SSRF flaw to gain elevated privileges on vulnerable Exchange servers, potentially leading to complete server compromise when chained with CVE-2022-41082.
Affected Products
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 22 and Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 11 and Cumulative Update 12
Discovery Timeline
- October 3, 2022 - CVE-2022-41040 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2022-41040
Vulnerability Analysis
CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918. The flaw resides in Microsoft Exchange Server's handling of Autodiscover requests. When an authenticated attacker crafts a specially malformed request to the Autodiscover endpoint, they can force the Exchange server to make arbitrary requests to internal resources or backend services that should not be directly accessible.
This vulnerability is particularly dangerous because it can be chained with CVE-2022-41082, a remote code execution vulnerability in Exchange's PowerShell backend. The combination of these two vulnerabilities, dubbed "ProxyNotShell," allows attackers to first bypass frontend access controls using the SSRF (CVE-2022-41040) and then execute arbitrary code via the PowerShell backend (CVE-2022-41082).
The attack requires valid Exchange credentials but does not require administrative privileges, making it exploitable by any authenticated user within the organization or by attackers who have compromised low-privilege credentials.
Root Cause
The root cause of CVE-2022-41040 lies in insufficient validation of user-supplied input within the Autodiscover endpoint of Microsoft Exchange Server. The vulnerability is similar to the earlier ProxyShell vulnerabilities but uses a different URL path pattern to bypass the mitigations Microsoft had previously deployed. The Exchange Server fails to properly sanitize and validate URLs in certain request parameters, allowing attackers to manipulate the server into making requests to arbitrary internal endpoints.
Attack Vector
The attack is network-based and can be executed remotely by any authenticated user. The attacker sends a specially crafted HTTP request to the vulnerable Exchange Server's Autodiscover endpoint. The malicious request contains a manipulated URL parameter that causes the server to forward the request to an internal backend service, specifically targeting the PowerShell remoting endpoint when chained with CVE-2022-41082.
The exploitation involves sending requests to paths like /autodiscover/autodiscover.json with carefully crafted query parameters that exploit the SSRF condition. The attacker leverages this to access internal services that would normally be inaccessible from the network, bypassing Exchange's security boundaries.
Detection Methods for CVE-2022-41040
Indicators of Compromise
- HTTP requests to /autodiscover/autodiscover.json containing suspicious query strings with @ characters followed by internal paths
- Requests containing patterns like /autodiscover/autodiscover.json?@evil.com/path or similar URL manipulation attempts
- Unusual PowerShell activity originating from the Exchange Server's w3wp.exe process
- Presence of webshells or suspicious files in Exchange directories following exploitation
Detection Strategies
- Monitor IIS logs for requests to the Autodiscover endpoint containing abnormal URL patterns, particularly those with embedded @ symbols and paths to internal services
- Implement network detection rules for HTTP requests matching ProxyNotShell exploitation patterns targeting Exchange servers
- Enable enhanced logging on Exchange servers and forward logs to SIEM for correlation with known attack indicators
- Deploy endpoint detection and response (EDR) solutions to identify post-exploitation activities such as spawned processes from IIS worker processes
Monitoring Recommendations
- Configure alerting for any HTTP requests to Exchange Autodiscover endpoints containing suspicious URL encoding or path traversal attempts
- Monitor Exchange Server processes for unusual child process creation, particularly PowerShell processes spawned by w3wp.exe
- Implement file integrity monitoring on Exchange installation directories to detect webshell deployment
- Review authentication logs for credential usage patterns that may indicate compromised accounts being used for exploitation
How to Mitigate CVE-2022-41040
Immediate Actions Required
- Apply the latest Microsoft security updates for Exchange Server immediately, as patches are available in the November 2022 Patch Tuesday release
- If patching is not immediately possible, implement the URL Rewrite mitigation rule provided by Microsoft to block exploitation attempts
- Audit authentication logs for evidence of compromise and investigate any suspicious activity
- Consider restricting remote PowerShell access and reviewing Exchange service configurations
Patch Information
Microsoft has released security updates to address CVE-2022-41040 as part of the November 2022 Patch Tuesday release cycle. Organizations should apply the latest cumulative updates for their respective Exchange Server versions. Detailed patch information and download links are available through the Microsoft Security Update Guide. Additional technical details can be found in the Microsoft Security Advisory and the CERT Vulnerability Note VU#915563.
Workarounds
- Implement Microsoft's recommended URL Rewrite rule to block malicious requests targeting the Autodiscover endpoint with suspicious patterns
- Disable remote PowerShell access for non-administrative users if not required for business operations
- Implement network segmentation to limit access to Exchange Server management interfaces
- Consider placing Exchange servers behind a web application firewall (WAF) with rules to detect and block ProxyNotShell exploitation attempts
# IIS URL Rewrite Rule (add to web.config in the Autodiscover directory)
# This blocks requests containing the malicious pattern used in exploitation
# Navigate to: %ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config
# Add the following URL Rewrite rule to block exploitation attempts:
# Pattern to block: .*autodiscover\.json.*\@.*Powershell.*
# Action: Abort Request
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
