ProxyNotShell SSRF in Microsoft Exchange Server
CVE-2022-41040 is a server-side request forgery vulnerability in on-premises Microsoft Exchange Server 2013, 2016, and 2019. In the ProxyNotShell exploit chain, an authenticated attacker abuses the Exchange Autodiscover mechanism and insufficient input filtering to reach the privileged Exchange PowerShell endpoint (/powershell). Microsoft and multiple supporting sources describe CVE-2022-41040 as the first stage that enables an authenticated attacker to remotely trigger CVE-2022-41082. Public reporting indicates the flaw can be exercised with valid Exchange credentials and crafted HTTP requests, including Autodiscover/PowerShell access patterns, after which the attacker can interact with Exchange PowerShell remoting and proceed to code execution through the chained vulnerability.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides a proof-of-concept (POC) exploit for CVE-2022-41040, a Server Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server. The repository contains two files: a Python script (CVE-2022-41040.py) and a README.md. The Python script automates the process of downloading SSRF payload templates, replacing a placeholder with an attacker-supplied OOB domain, and generating a list of formatted payloads for mass testing using ffuf and unfurl. The README.md explains both manual and automated exploitation steps, provides example payloads, and lists required tools. The exploit's main capability is to trigger SSRF requests from Exchange servers to an attacker-controlled domain, allowing the attacker to confirm the vulnerability via OOB interactions. The repository is structured for both manual and automated mass exploitation, targeting the /autodiscover/autodiscover.json endpoint on Exchange servers. No weaponized or post-exploitation payloads are included; the focus is on vulnerability verification.
This repository contains a Python proof-of-concept exploit for CVE-2022-41040, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. The repository consists of a README with usage instructions and a single Python script, 'microsoft_exchange_server_proxynotshell_ssrf.py'. The script is designed to be used as a custom module in Metasploit but is written in standalone Python, not Ruby. It requires the 'requests' library and interacts with the target Exchange server by sending crafted HTTP requests to the '/autodiscover/autodiscover.json' endpoint, attempting to trigger SSRF. The exploit uses the public DNSLog service (dnslog.cn) to detect if the Exchange server makes outbound DNS requests, confirming the SSRF vulnerability. The script also attempts to extract additional information from the Exchange server via the '/mapi/nspi' endpoint. The exploit requires valid authentication to the Exchange server and is intended for security testing and vulnerability confirmation. No weaponized or post-exploitation payload is included; the script is a POC for detection and confirmation of the SSRF flaw.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Microsoft Exchange exploit chain comprising CVE-2022-41040 and CVE-2022-41082, used to gain unauthenticated remote code execution on unpatched Exchange servers for initial access.
A Microsoft Exchange exploit chain involving CVE-2022-41040 and CVE-2022-41082 that enables unauthenticated remote code execution on unpatched Exchange servers and was used here as the repeated initial access vector.
A Microsoft Exchange Server vulnerability that is part of the ProxyNotShell exploit chain, involving SSRF abuse that can lead to remote code execution as SYSTEM.
A server-side request forgery (SSRF) vulnerability in Microsoft Exchange, exploited for initial access by ransomware groups.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.