Ransomware Attackers Bypass Microsofts ProxyNotShell Mitigations With Fresh Exploit

The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.

The operators of a ransomware strain called Play have developed a new exploit chain for a critical remote code execution (RCE) vulnerability in Exchange Server that Microsoft patched in November.
The new method bypasses mitigations that Microsoft had provided for the exploit chain, meaning organizations that have only implemented those but have not yet applied the patch for it need to do so immediately.
The RCE vulnerability at issue (
CVE-2022-41082
) is one of two so-called
ProxyNotShell flaws in Exchange Server
versions 2013, 2016, and 2019 that Vietnamese security company GTSC publicly disclosed in November after observing a threat actor exploiting them. The other ProxyNotShell flaw, tracked as
CVE-2022-41040
, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system.
In the attack that GTSC reported, the threat actor utilized the CVE-2022-41040 SSRF vulnerability to access the Remote PowerShell service and used it to trigger the RCE flaw on affected systems. In response, Microsoft recommended that organizations apply a blocking rule to prevent attackers from accessing the PowerShell remote service through the Autodiscover endpoint on affected systems. The company claimed — and security researchers agreed — that the blocking rule would help prevent known exploit patterns against the ProxyNotShell vulnerabilities.
This week, however,
researchers at CrowdStrike
said they had observed the threat actors behind Play ransomware use a new method to exploit CVE-2022-41082 that bypasses Microsofts mitigation measure for ProxyNotShell.
The method involves the attacker exploiting another — and little-known — SSRF bug in Exchange server tracked as
CVE-2022-41080
to access the PowerShell remote service via the Outlook Web Access (OWA) front end, instead of the Autodiscover endpoint. Microsoft has assigned the bug the same severity rating (8.8) as it has for the SSRF bug in the original ProxyNotShell exploit chain.
CVE-2020-41080 allows attackers to access the PowerShell remote service and use it to exploit CVE-2022-41082 in exactly the same way as they could when using CVE-2022-41040, CrowdStrike said. The security vendor described the Play ransomware groups new exploit chain as a previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint, instead of leveraging the Autodiscover endpoint.
Because Microsofts ProxyNotShell mitigation only blocks requests made to the Autodiscover endpoint on Microsoft Exchange server, requests to access the PowerShell remote service via the OWA front end will not be blocked, the security vendor explained.
CrowdStrike has christened the new exploit chain involving CVE-2022-41080 and CVE-2022-41082 as OWASSRF.
Microsoft emphasized that the attack bypasses mitigations, but not the available patch for the issue.
“The reported method exploits vulnerable systems that have not applied our latest security updates, a Microsoft spokesperson told Dark Reading. Customers should prioritize installing the latest updates, specifically our November 2022 Exchange Server updates.”
CrowdStrike said it discovered the new exploit chain when investigating several recent Play ransomware intrusions where the initial access vector was via a Microsoft Exchange Server vulnerability. The researchers quickly found that Play ransomware attackers had exploited the ProxyNotShell RCE vulnerability (CVE-2022-41082) to drop legitimate payloads for maintaining access and performing anti-forensics techniques on compromised Microsoft Exchange Servers.
However, there was no sign that they had used CVE-2022-41040 as part of the exploit chain. CrowdStrikes further investigation showed that the attackers had used CVE-2022-41080 instead.
Organizations should apply the Nov. 8, 2022, patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method, CrowdStrike warned, echoing Microsoft. If you cannot apply the
KB5019758
patch immediately, you should disable OWA until the patch can be applied.
The security vendors other recommendations to organizations for reducing their exposure to the new threat includes disabling remote PowerShell for non-administrative users where possible and using EDR tools to detect Web services spawning PowerShell processes. The company has also provided a
script that administrators can use
to monitor Exchange servers for signs of exploitation.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ransomware Attackers Bypass Microsofts ProxyNotShell Mitigations With Fresh Exploit