Product reviews, deals and the latest tech news

There are still thousands of Microsoft Exchange servers that are susceptible to this serious bug

Security experts have cautioned that tens of thousands of Microsoft Exchange servers (opens in new tab) are still susceptible to a critical weakness that is being exploited in ProxyNotShell attacks.

Shadowserver Foundation, a cybersecurity firm, reported that almost 70,000 IP addresses were susceptible to the remote code execution (RCE) vulnerability CVE-2022-41082, which was fixed in early November of 2017.

At the time of publication, Shadowserver’s statistics showed at least 57,000 susceptible IPs, albeit the findings were “derived by averaging counts of unique IPs, which implies that a “unique” IP may have been counted more than once,” as the disclaimer put it.

Corrections and adjustments

Shadowserver cautioned that “all results should be viewed as suggestive rather than accurate,” but noted that dropping numbers could signal a favourable trend.

The previously stated CVE-2022-41082 is one of two critical vulnerabilities known as ProxyNotShell; the other is CVE-2022-41040, an elevation of privilege problem that was also fixed in early November. Exchange Server 2013, 2016, and 2019 are all susceptible endpoints.

Researches recommend that IT professionals deploy the patch rather to using the mitigations since the mitigations may be bypassed. BleepingComputer reported that ransomware authors were using a recently disclosed chain of vulnerabilities to remotely execute malicious code on their victims’ machines, despite the presence of ProxyNotShell security measures designed to prevent this.

Hackers often aim for exchange servers because to their high value. The notorious LockBit organisation, for instance, was recently detected spreading malware using hacked Exchange servers. LockBit 3.0 attacked two servers belonging to the same firm in the summer of last year. The report claims that the attackers began by deploying a web shell, then gained access to Active Directory as an administrator a week later, took 1.3 terabytes of data, and encrypted computers stored on the network.

A hostile effort was discovered late last year trying to attack the patched ProxyShell vulnerability in Microsoft Exchange.