ProxyNotShell SSRF in Microsoft Exchange Server
CVE-2022-41040 is a Microsoft Exchange Server vulnerability affecting on-premises Exchange Server 2013, 2016, and 2019. Although some sources label it as an elevation-of-privilege issue, the provided content consistently identifies the underlying flaw as a server-side request forgery (SSRF) vulnerability that can be used by an authenticated attacker to reach internal Exchange functionality. In the ProxyNotShell exploit chain, CVE-2022-41040 is used to remotely trigger CVE-2022-41082 via Exchange PowerShell access, enabling follow-on code execution. Microsoft reported in-the-wild exploitation and stated that successful exploitation can allow the attacker to run PowerShell in the context of SYSTEM when chained appropriately. The issue was publicly disclosed in late September 2022, with Microsoft security updates released on November 8, 2022.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides a proof-of-concept (POC) exploit for CVE-2022-41040, a Server Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server. The repository contains two files: a Python script (CVE-2022-41040.py) and a README.md. The Python script automates the process of downloading SSRF payload templates, replacing a placeholder with an attacker-supplied OOB domain, and generating a list of formatted payloads for mass testing using ffuf and unfurl. The README.md explains both manual and automated exploitation steps, provides example payloads, and lists required tools. The exploit's main capability is to trigger SSRF requests from Exchange servers to an attacker-controlled domain, allowing the attacker to confirm the vulnerability via OOB interactions. The repository is structured for both manual and automated mass exploitation, targeting the /autodiscover/autodiscover.json endpoint on Exchange servers. No weaponized or post-exploitation payloads are included; the focus is on vulnerability verification.
This repository contains a Python proof-of-concept exploit for CVE-2022-41040, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. The repository consists of a README with usage instructions and a single Python script, 'microsoft_exchange_server_proxynotshell_ssrf.py'. The script is designed to be used as a custom module in Metasploit but is written in standalone Python, not Ruby. It requires the 'requests' library and interacts with the target Exchange server by sending crafted HTTP requests to the '/autodiscover/autodiscover.json' endpoint, attempting to trigger SSRF. The exploit uses the public DNSLog service (dnslog.cn) to detect if the Exchange server makes outbound DNS requests, confirming the SSRF vulnerability. The script also attempts to extract additional information from the Exchange server via the '/mapi/nspi' endpoint. The exploit requires valid authentication to the Exchange server and is intended for security testing and vulnerability confirmation. No weaponized or post-exploitation payload is included; the script is a POC for detection and confirmation of the SSRF flaw.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Microsoft Exchange exploit chain comprising CVE-2022-41040 and CVE-2022-41082, used to gain unauthenticated remote code execution on unpatched Exchange servers for initial access.
A Microsoft Exchange exploit chain involving CVE-2022-41040 and CVE-2022-41082 that enables unauthenticated remote code execution on unpatched Exchange servers and was used here as the repeated initial access vector.
A Microsoft Exchange Server vulnerability that is part of the ProxyNotShell exploit chain, involving SSRF abuse that can lead to remote code execution as SYSTEM.
A server-side request forgery (SSRF) vulnerability in Microsoft Exchange, exploited for initial access by ransomware groups.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.